An Overview of U.S. Export Control and Economic Sanctions Laws
Every company that sends its products, software, or technology outside of the United States is subject to U.S. export control and economic sanction regulations. From the largest multinational corporations to the smallest start-ups, from manufacturers of software to softballs, from toothpicks to pharmaceuticals, from rock candy to rocket fuel, all US companies and their employees along with anyone present in the United States and US citizens wherever located must familiarize themselves with these regulations to ensure that they understand what is required to comply. In addition, companies who do not export their products can still be subject to these regulations if they employ foreign nationals (individuals who are not US citizens, permanent residents or refugees) or have visitors or prospective customers visiting who are foreign nationals. Penalties for inadvertent non-compliance can be steep, with civil monetary penalties of up to approximately $280,000 per violation and even higher criminal penalties.
The US export control regulations were enacted to ensure that transfers of items, technology, or services are accomplished in a manner that is consistent with the US government’s national security and foreign policy goals. The US economic sanctions laws are promulgated to restrict trade, investment, and financial transactions based on these foreign policy and national security goals. Coordinating regulations also restrict a US company’s ability to participate in unsanctioned foreign boycotts.
The purpose of this article is to provide an overview of the primary laws and regulations involved and provide guidance on how to develop and implement policies and procedures that will be effective in helping your organization maintain compliance with these laws. This is, of course, meant to be a broad overview of the export control and economic sanctions laws and related compliance tools. These laws contain many fine points and exceptions, which, although not addressed in this chapter, are important to appreciate if they are relevant to your company’s business. Thus, we urge you to dig deeper into the regulations when a transaction appears to require licensing or if you are to embark on a business strategy where foreign person involvement is required. Finally, we note these laws frequently change in response to changes in US perspective on national security and foreign policy. Therefore, it is essential for companies and individuals engaged in international business transactions to check the official versions of the export control and economic sanctions laws, as well as the Federal Register, on an ongoing basis.
When using the term export control laws, we are primarily talking about the Export Administration Regulations (EAR), administered by the U.S. Department of Commerce’s (Commerce) Bureau of Industry and Security (BIS), the International Traffic in Arms Regulations (ITAR), administered by the U.S. Department of State’s (State) Directorate of Defense Trade Controls (DDTC), and trade and economic sanctions administered by the Office of Foreign Assets Control (OFAC) at the U.S. Department of the Treasury.
The Export Administration Regulations
Products, software, and technology that have a primarily commercial use fall under the EAR. The EAR include restrictions on direct exports from the United States; reexports of US-origin products, software, and technology from one country outside of the United States to another; and the disclosure of US-origin technology to a foreign person, whether in the United States or abroad. These restrictions include the export, reexport, or transfer of US-origin products, software, and technology, as well as the reexport or transfer of certain items produced outside of the United States that are either based on US origin technology or that incorporate a certain amount of US origin parts and components. The restrictions imposed by the EAR generally fall into one of three categories: item-based controls, end-user-based controls, and end-use based controls.
A key feature of the EAR is the Commerce Control List (CCL) , a list of products, software, and technologies that are controlled based on their technical parameters. Classification of products, software, or technologies on the CCL generally also provides guidance on the countries to which the export or reexport is controlled and the circumstances under which the products, software, or technologies may be exported or reexported. Thus, consulting the CCL and identifying the applicable Export Control Classification Number (ECCN) is the first and most important step in determining whether a license is required under the EAR. Products, software, and technologies that are subject to the EAR, but not included in a specific ECCN, are classified as EAR99. EAR99 items are still subject to US export controls.
As noted above, the EAR also provide parameters for the export, reexport, or transfer of US-origin technology. Under the EAR, the term “technology” is broadly defined to include “information necessary for the ‘development,’ ‘production,’ ‘use,’ operation, installation, maintenance, repair, overhaul, or refurbishing. . . of an item.” “Technology” includes “written or oral communications, blueprints, drawings, photographs, plans, diagrams, models, formulae, tables, engineering designs and specifications, computer-aided design files, manuals or documentation, electronic media or information revealed through visual inspection.”
Whether a license is required for the export of products, software, and technologies is determined by the items’ classification in combination with the country that it is destined for. Where products, software, and technologies are subject to a licensing requirement under the EAR, one of several license exceptions may be available, thus permitting, in some cases, an export, reexport, or transfer, without the need to first obtain a license. A description of these license exceptions can be found in Part 740 of the EAR.
In addition to the item-based controls described above, the EAR also, depending on the particular list that includes the individual or entity, prohibits, requires a license for, or mandates additional due diligence regarding exports, reexports, and transfers of products, software, and technologies subject to the EAR. The US government has determined that these individuals and entities may pose a risk to US national security or foreign policy goals, or that the end-user may divert such products, software, and technologies to a program supporting the development or proliferation of weapons of mass destruction. The lists include the following:
Denied Persons List (DPL): BIS’s DPL identifies those persons denied export privileges under the EAR by BIS as a consequence for having violated the EAR. Persons on the DPL are prohibited from engaging in any export or reexport transaction involving any products, software, or technologies subject to the EAR or in any other activity subject to the EAR. Available at: https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern/denied-persons-list (last visited on Aug. 5, 2019).
Entity List: The Entity List, maintained by BIS, identifies those persons whose activities BIS has determined pose a risk of diversion to weapons of mass destruction programs, including nuclear, chemical, and biological weapons, as well as missiles and their delivery systems. Placement on the Entity List means that a license is required from BIS before most if not all products, software, or technologies subject to EAR can be sent to a listed entity. Generally, BIS has a presumption of denial for such license applications. Available at: https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern/entity-list (last visited on Aug. 5, 2019).
The Unverified List (UVL): BIS’s UVL is a list of persons involved in prior transactions subject to the EAR for which BIS has not determined the legitimacy of that entity or the veracity of the entity’s intention to properly use US-origin products, software, or technologies. Being listed on the UVL neither prohibits a company from receiving US-origin products, software, or technologies, nor imposes a new license requirement, but rather raises a “red flag” with respect to transactions that include these entities. Companies are required to clear such “red flags,” through additional due diligence or other assurances, before proceeding with a transaction. If an exporter cannot clear up the red flags, it must apply to BIS for a license for the transaction before proceeding further. https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern/unverified-list (last visited on Aug. 5, 2019).
Additionally, other agencies maintain similar lists of restricted parties. These lists include:
OFAC’s Specially Designated Nationals List (SDN List) and Sectoral Sanctions Identifications (SSI) List, available at https://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/default.aspx (last visited on Aug. 5, 2019)
State’s list of Foreign Terrorist Organizations (FTO List), available at: https://www.state.gov/j/ct/rls/other/des/123085.htm (last visited on Aug. 5, 2019)
List of Statutorily Debarred Parties (Debarred List), available at https://www.pmddtc.state.gov/ddtc_public?id=ddtc_kb_article_page&sys_id=7188dac6db3cd30044f9ff621f961914 (last visited on Aug. 5, 2019).
The licensing requirements for exports, reexports, or transfers to parties on any of the lists typically extend to all products, software, and technologies subject to the EAR including items listed on the CCL as well as items classified as EAR99.
In addition, to comply with the EAR, prior to exporting, a company should screen for “red flags,” listed in the EAR’s “BIS’s ‘KNOW YOUR CUSTOMER’ Guidance and Red Flags.” When present, red flags can “indicate that the export may be destined for an inappropriate end-use, end-user, or destination.” To assess whether such red flags are present, a company should review transaction information provided by a customer with an eye towards identifying anything that may not align with the norm for the particular business or products involved. If red flags appear, a company must conduct additional due diligence into the customer’s representations in an attempt to clear the red flags. If a company is unable to clear a red flag, a company is, under the EAR, now considered to know or have reason to know that a violation may occur and, thus, must mitigate a potential violation by either canceling the transaction or, prior to exporting, obtain a license or other guidance from BIS.
The EAR also places certain restrictions on exports and reexports to countries embargoed or sanctioned by the US government. Currently, the EAR imposes significant restrictions on any transactions involving Cuba, Iran, North Korea, Sudan, Syria and the Crimea Region of the Ukraine.
The EAR also imposes a license requirement on the export, reexport, or transfer of any item subject to the EAR (both those on the CCL and classified as EAR99) if at the time of the export or reexport the person knows the item will be used directly or indirectly in certain nuclear, missile, chemical, or biological end-uses.
The International Traffic in Arms Regulations
The export, reexport, or transfer of products, software, technical data, and services that are uniquely military fall under ITAR. Items controlled under the ITAR are listed on the United States Munitions List (USML). Over the past few years, the State Department has been working on implementing the President’s Export Control Reform (ECR) initiative, which among other things, lays out a process to transfer items that have been determined to be less sensitive (e.g., parts and components) from the USML to the CCL. These changes have transformed the USML from a list that included many “catch-all” provisions to a more specific list that enumerates controlled items.
Additionally, the ITAR controls “defense services”. These defense services include “[t]he furnishing of assistance (including training) to foreign persons, whether in the United States or abroad in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing or use of defense articles.” Thus, it is important to note that if you are working with a military customer, whether US military or foreign military, the ITAR may apply unless you are strictly selling unmodified, unconfigured, commercial off-the-shelf (COTS) equipment without installation or integration services.
The ITAR includes restrictions on any exports from the United States or reexport or transfer to a third-country, of US-origin ITAR-controlled products, software, technical data, or services, or transfer to non-US nationals, whether in the United States or abroad, of US-origin technical data or services. Export licensing policies under the ITAR are, not surprisingly, more restrictive than under the EAR, and there are many countries, including China, who cannot receive licenses under the ITAR.
These regulations also impose registration requirements for exporters, manufacturers and brokers of ITAR-controlled goods and a mandate to report fees and commissions paid in connection with certain sales of US origin defense articles, defense services, and related technology.
Economic Sanctions and Other Trade-Related Sanctions
Trade and economic sanctions laws and regulations deal with country-specific restrictions or prohibitions administered by the U.S. Department of the Treasury’s (Treasury) Office of Foreign Assets Control (OFAC). These rules restrict trade, investment, and financial transactions with certain countries by US citizens, US companies, including branches outside of the United States, and, in some instances, US-owned or controlled subsidiaries.
Simply put, there are two main categories of OFAC sanctions. First, a short list of countries (and one region) are subject to comprehensive embargoes on the export and import of goods, technology, and services. These areas include Cuba, Iran, North Korea, Syria, and the Crimea region of the Ukraine. Additionally, although restrictions have eased over the last couple of years on Iran, these restrictions are currently being strengthened again. In additional countries, the property of listed individuals and entities is “blocked”. In these countries, there is no restriction on the export to or import from these countries unless the parties involved are blocked persons.
In general, OFAC regulations, beyond prohibiting exports and reexports to sanctioned countries, prohibit nearly all trade (imports and exports), investment, services, and any other form of activity or transaction between “US persons” and any sanctions target. The prohibition on the provision of services would include many online services and products hosted on the Internet even if no software is available for download. However, there are some authorizations for the export of “information and informational materials as well” as “personal communications” services, software, and equipment.
It is important to note that both BIS and OFAC may have jurisdiction and licensing requirements for exports and reexports to the embargoed countries. It is, therefore, important to consult both the EAR and OFAC regulations to determine how to proceed with a transaction involving an embargoed country.
Both BIS and Treasury’s Internal Revenue Service (IRS) administer antiboycott regulations that are designed principally to counter the Arab League boycott of Israel and Israeli goods. These laws apply directly to US-owned or controlled subsidiaries.
Risks Related to Noncompliance
The implementation of compliance programs costs money and compliance with US controls can cost businesses opportunities. Companies, because they exist to make money, may be hesitant to spend money on export compliance. Additionally, new companies, in particular, may have limited resources. However, investment in export compliance can shield companies from potentially costly penalties—limited spending now will, should a violation occur, result in considerable savings later. For evidence of the costs associated with failure to establish and maintain adequate compliance policies and procedures, companies need not look beyond the fines and penalties that can be levied for violations.
The International Economic Emergency Powers Act (IEEPA) provides the statutory basis for most of the OFAC regulations. Thus, violations of most OFAC regulations are penalized under IEEPA. IEEPA provides for civil penalties, per violation, of up to approximately $280,000 or twice the value of the transaction, whichever is greater, and criminal monetary penalties of up to $1 million for each violation, a maximum term of imprisonment of 20 years per violation, or both.
Violations of the EAR may be subject to both criminal and administrative penalties. Under the Export Control Reform Act of 2018 (“ECRA”), criminal penalties can include up to 20 years of imprisonment and up to $1 million in fines per violation, or both. Administrative monetary penalties can reach up to $300,000 per violation or twice the value of the transaction, whichever is greater.
In addition to the fines and penalties, violations of the EAR may result in the imposition of a denial order against a person who has violated the EAR. A denial order prohibits the listed entity, for an enumerated period of time, from exporting, reexporting, or transferring products, software, or technology subject to the EAR, or participating in any way in any export or transaction subject to the EAR. A denial order also prohibits third parties from engaging in any transaction subject to the EAR with the entity named in the denial order.
Civil violations of the ITAR can result in fines of close to $1 million per violation. Each criminal violation of the ITAR may result in a fine of up to more than $1 million, imprisonment for up to 20 years, or both. Like a Denial Order under the EAR, persons or entities charged with violations of the ITAR may be debarred from exporting products, software, or technical data controlled under the USML, or selling such products, software, or technical data domestically when it will be exported from the United States. A debarment may be either for a set period of time or until the State Department releases the debarment.
The Trading with the Enemy Act (TWEA) is the statutory basis for OFAC’s regulations relating to Cuba. Each violation carries a civil fine of up to approximately $87,000. Companies charged with a criminal violation of TWEA can face fines of up to $1 million or twice the loss or gain from the transaction leading to the violation. Individuals convicted of a criminal violation of TWEA face per violation penalties of up to $250,000, 10 years in prison, or both.
In addition to civil and criminal penalties, any property, funds, vessels, vehicles, or equipment connected with a violation, can be seized and forfeited by the US government.
Key Considerations for Risk Analysis
Most investigations of export control and economic sanctions law violations are performed by three federal law enforcement agencies. Primary responsibility for investigating violations of the EAR and economic sanctions laws is vested in the Office of Export Enforcement (OEE) within BIS. Immigration and Customs Enforcement (ICE) at the U.S. Department of Homeland Security has primarily responsibility for investigating violations of the ITAR but may also investigate violations of the EAR and economic sanctions laws. Finally, the Federal Bureau of Investigation (FBI) has the authority to investigate violations of all export control and economic sanctions laws. The Defense Criminal Investigative Service (DCIS) also plays an active role in ITAR violation investigations. Of course, all criminal prosecutions of such cases are handled by U.S. Attorney’s Offices throughout the country and the National Security Division at the U.S. Department of Justice (Justice).
Although there has traditionally been some level of cooperation between these law enforcement agencies, the launch of a national export control initiative by Justice in October 2007 was a signal that Justice had put the investigation and prosecution of export control and economic sanctions cases into the spotlight. With a mandate to “harness the counter-proliferation assets of US law enforcement, licensing, and intelligence agencies to combat the growing national security threat posed by illegal exports of restricted US military and dual-use technology to foreign nations and terrorist organizations,” then Assistant Attorney General for National Security, Kenneth L. Wainstein introduced the creation of new Counter-Proliferation Task Forces in several U.S. Attorney’s offices around the country, the development and implementation of specialized training for prosecutors, and the appointment of Justice’s first National Export Control Coordinator.
Formation of the multi-agency task forces and enhanced communication and coordination with BIS, DDTC, and OFAC has led to an increase in both the investigation and prosecution of export control and economic sanctions cases, as well as a rise in administrative cases and fines.
Before criminally prosecuting a company or individual for a violation of export control and economic sanctions laws, the US government must prove that a company or individual had knowledge of and willfully violated such laws. On the other hand, the administrative enforcement of export control and economic sanctions laws is based on strict liability. Thus, the US government can assess administrative or civil fines and penalties solely based on the fact that a violation has occurred. There is no need for an agency to develop evidence that a company or individual intentionally violated the laws or even knew about the law in the first place. As discussed below, however, there are several ways to mitigate any potential fines or penalties that may result from a violation of these laws.
Strategies and Challenges with Risk Mitigation
In order to mitigate the potential risk associated with export violations, companies have to invest in compliance, which includes developing export control-related compliance policies and procedures and a company culture of compliance. Ignorance of regulatory requirements is not an excuse for noncompliance. Federal regulations require anyone who exports products, software, technology, or services from the United States to establish and maintain controls designed to reasonably ensure compliance with federal laws and regulations. If you are an exporter, you can, at any point in time, be subject to a compliance review by the US government. Knowing if you have a problem before the government does and fixing it so that you do not become the subject of an investigation requires a company to commit resources and support to establish, implement, and maintain an effective compliance program. Companies with successful compliance policies and procedures have included all of the following key components:
A tone of compliance that starts at the top of the organization;
The hiring of executives who conduct themselves in a compliant manner;
A method for anonymous reporting;
A plan and method for monitoring and periodically reviewing the effectiveness of the policies and procedures and detecting and deterring conduct that is inconsistent with laws, regulations, and the company’s policies and procedures; and
A method, when necessary, for disclosure to the government of violations.
The structure and make-up of compliance requirements change depending on the type and frequency of items exported by the company. The more controlled a company’s products, the more comprehensive a company’s compliance policy must be to tackle the responsibility.
The requirements described in the export control and economic sanctions laws may seem overwhelming without a system to establish procedures, implement effective internal controls, and promote accountability. An Export Management Compliance Plan (ECMP) takes individual decisions and pieces of information and builds them into an organized, integrated system. It is a program which can be established to manage export-related decisions and transactions in an effort to ensure compliance with export control and economic sanctions laws.
In order to be successful, an EMCP must reinforce, to everyone in the company, senior management’s commitment to comply with export control and economic sanctions laws. In addition, a well-written and implemented EMCP will accomplish several key goals including:
Establishment of a structure and organization for managing and processing export transactions;
Enhanced accountability for tasks related to compliance with export control and economic sanctions laws by identifying (a) a manager responsible for ensuring the overall effectiveness of the EMCP and (b) employees accountable for performing each piece of the process;
Implementation of compliance safeguards throughout a company’s supply chain, which will lead to a consistent process for conducting due diligence checks and making compliance decisions;
The provision of written instructions to employees on how to incorporate export transaction screening into their daily responsibilities to prevent prohibited exports, reexports, or transfers;
Identification of a method for employees to identify and communicate indicators that red flags may be present;
Foundation of tools to help employees accurately and consistently perform duties related to export controls and economic sanctions;
Recognition of when a transaction will require licensing;
Streamlining of compliance processes through clear and concise written instructions, appropriate compliance tools, and appropriate training; and
Prevention of inadvertent violations through enhanced awareness of legal requirements.
A comprehensive EMCP is the best way to ensure compliance with laws. Since, however, no two companies do the exact same thing or operate in the same way, each company must tailor its EMCP to correspond to specific needs. In order to do so, a company must first conduct a review of its current export compliance procedures. Successful compliance reviews will include the following steps:
Gathering export control and economic sanctions related policies, procedures, forms, tools, or checklists currently in use by company employees;
Identifying relevant employees who have or should have export control responsibilities (including engineering, shipping, human resources, information technology, sales, marketing);
Assessing awareness within the company of export control and economic sanctions related legal requirements and any of the compliance policies and procedures, forms, tools, and checklists that were identified;
Spot-checking transactions in identified focus areas (possible risk areas include research and development and foreign nationals/dual-nationals) including exports from the United States as well as reexports or transfers from one international site to another;
Determining the effectiveness of any such compliance policies and procedures, forms, tools, and checklists that were identified; and
Identifying strengths and weaknesses of its overall compliance posture.
The purpose of any compliance review is to analyze the level at which a company’s current daily operations are in compliance with relevant laws. Once an effective compliance review is used to establish a baseline, a company, with continued support from management, will be able to formalize policies and procedures that will further define its compliance program and help identify those employees to whom compliance responsibilities should be assigned. Creating ownership and responsibility for results will help a company establish and maintain legal compliance.
There are several important steps reviewers should take when conducting a compliance review. Each review should begin by having the reviewer analyze the company’s risk areas and identify the scope of the compliance review. Like compliance programs, the structure of a compliance review plan will vary depending on a company’s business and compliance risks. Some typical risk factors that warrant additional discussion include technology transfers (domestic “deemed exports” and foreign operations), reexports and retransfers from non-US offices, the classification and exportation of third-party products, and compliance with sanctions and embargoes.
The next step is a detailed review of existing relevant written procedures, forms, tools, checklists, distributor agreements, contracts, and other agreements and documents used to comply with export control and economic sanctions laws. A review of these materials will assist reviewers in determining the sophistication of the company’s practices and level of compliance. The reviewers should compare these existing materials with industry “best practices” for compliance with export control and economic sanctions laws and make recommendations, where necessary, for modifications and additions.
In addition, the reviewer should examine past transactions which will allow them to understand whether these transactions have been conducted in compliance with legal requirements. The reviewers should examine a sampling of documentation, such as sales orders and shipping paperwork, in order to assess the level of compliance that currently exists within the company. This review will allow the company to identify any current shortfalls that it needs to address, and make recommendations to each business segment regarding changes to ensure that the company is in line with industry best practices.
A comprehensive assessment of policies and procedures will also include a review of any reports from internal investigations conducted within the last five years and any voluntary self-disclosures or other notices filed with the government over that last five years. An evaluation of the internal investigative methodology, together with a review of remedial measures, is, in the view of the government, a significant part of a compliance program.
An effective compliance review also will include on-site interviews of senior and mid-level individuals from the following groups:
Individuals with direct international trade-related responsibility;
Persons who have knowledge of corporate international trade policies and regulations;
Human resources personnel;
Customer service personnel;
Employees responsible for facility security;
Engineers who design and develop goods and services;
Information technology employees responsible for file access control;
Business development, sales, and marketing employees; and
Individuals in the company’s legal department who develop policies and procedures.
These interviews will foster a discussion and review of existing compliance policies and procedures and their effectiveness. Because of the need to maintain a dynamic and interactive environment, it is essential that reviewers conduct these interviews in-person. Face-to-face interviews will allow the compliance review team to develop a more complete understanding of each employee’s knowledge of existing policies and procedures and attitude towards compliance.
While conducting personnel interviews, the reviewers should compare existing procedures with actual practice to determine whether they match. The compliance review team should then compare existing procedures against “best practices” for international trade compliance to identify any gaps and make recommendations regarding appropriate remedies. This step will highlight the actual impact that existing policies and procedures have on the company’s business and pinpoint areas where the company can make effective improvements with minimal intrusion into ongoing business operations.
The steps listed above will allow reviewers to assess and identify the degree of compliance within the company with export control and economic sanctions laws, policies, and procedures. Reviewers should then prepare a detailed report of their findings for discussion by the company’s management. This report should include recommendations for how the company can change its policies and procedures to conform to “best practices” within the company’s industry and the reviewers should prioritize recommendations by risk and the need for implementation. In order to preserve the privileged and confidential nature of such a review and report, we recommend that the review be ordered and supervised by, and the report be submitted to, the company’s legal counsel. Alternatively, company counsel should retain outside counsel to conduct the review and prepare a report. Before the report is finalized, the company should have an opportunity to comment on a draft and correct any factual errors.
The compliance review team also should be involved in assisting the company with the implementation of any proposed recommendations that company management chooses to accept. This effort should include the creation of a tracking mechanism to ensure that the recommendations are implemented properly and in a way that will be most efficient to the relevant business segments. Upon completion of the implementation of the relevant recommendations, the review team should prepare a final report that identifies the corrective actions taken and includes an explanation of the reasoning behind the decision not to implement any of the original recommendations. This final report will serve as an essential reflection of company’s commitment to compliance and, if necessary, can be used at a later date as evidence of such a commitment.
Companies can obtain significant benefits from the implementation and maintenance of a comprehensive compliance program. In fact, in its penalty guidance, BIS gives great weight to whether a company had an effective compliance program in place at the time that a violation occurred. Additional tangible benefits are seen when a company’s compliance policies and procedures result in the detection of violations and submission of a voluntary self-disclosure (VSD) to the appropriate US government agency or agencies. Each agency treats VSDs differently and has a unique reaction to their submission. In its penalty guidance, BIS also gives great weight in cases where a company has submitted a VSD. In fact, a majority of VSDs result in the issuance of a “Warning Letter,” stating that violations did take place, but no fines or penalties will be assessed, and the company is warned to be more vigilant about compliance with applicable laws and regulations. On several occasions, DDTC officials have publically stated that the agency considers the submission of an occasional VSD as a sign that a compliance program is working properly. DDTC’s outlook typically leads to what is known as a “No Action Letter,” where DDTC indicates that, although a violation took place, no further action will be taken. OFAC’s position is likened to that of DDTC, typically issuing a similar “No Action Letter” that advises a company that a violation has taken place but, based on the company’s effective compliance program and the submission of a comprehensive VSD, the company will not be fined or penalized and OFAC has closed its investigation without further action.
As an added and no doubt extremely valuable advantage, in cases where there is no willful and egregious conduct, companies that submit VSDs will typically avoid criminal prosecution. Additionally, unlike the public release of plea agreements or settlement documents in cases that result in criminal or administrative fines and penalties, Warning Letters and No Action Letters are not made public. Thus, the submission of a VSD is more likely to save a company the capital loss that may follow from a public airing of the facts and circumstances surrounding the investigation into and resolution of cases involving violations of export control and economic sanctions laws.
Implementation and Management of Compliance Policies and Procedures
Now that the company has a blueprint of what should be included in an effective compliance program, appropriate policies and procedures should be tailored to fit the company’s needs. When putting together a compliance program it is essential to remember that, effective compliance programs must do more than simply restate governmental requirements. Instead, it must be (a) a reflection of the company’s actual policies and expectations of their employees; (b) practical; (c) easily understood; (d) closely tailored to the company’s unique business; and (e) taken seriously. Ignoring a compliance program in place can be as risky as not having a program at all.
In general, good compliance systems include the following:
A convincing compliance policy statement from senior management;
Designated compliance personnel within the company who have defined responsibilities;
User-friendly, practical, and efficient procedures for anticipating, identifying, and resolving issues under the substantive regimes covered;
A product matrix to cover existing programs and projects;
Explanations understandable to non-lawyers of the substantive legal requirements;
Sample contract clauses, including clauses with suppliers requiring the provision of ECCNs before or with delivery of product;
An action plan for dealing with potential violations;
Practical, efficient, and effective recordkeeping and documentation retention procedures; and
Procedures and timetables for periodic program assessment and updating.
These materials will vary based on the intended user. Thus, compliance policies should include tailored procedures for different departments such as engineering (“deemed export” requirements); human resources (deemed exports issues), accounting (OFAC screening and payments), contracts (anti-boycott screening), and purchasing (ECCN requirements, country of origin).
A suggested compliance approach is shown below.
After a company has completed a working draft of the EMCP and vetted and included comments from different areas of the company, compliance personnel have to sit down and mitigate any issues that would present problems for one or more areas of the company, which could unnecessarily prohibit operations. After dealing with these conflicts, the compliance personnel can design methods for initial implementation of the EMCP.
Initially, the person responsible for designing the compliance program should meet with senior personnel and present the draft plan for review and comment. Obtaining “by-in” from senior personnel will help clear the way for the plan’s implementation. In addition, any employee who will have specifically enumerated functions under the plan must be briefed on such responsibilities to ensure (a) that they understand what is expected of them and (b) that they can fulfill the requirements of their new responsibilities. One of the main objects here is to ensure that compliance personnel have the opportunity to raise issues and provide suggestions on matters that will affect their responsibilities and, ultimately, the effectiveness of the program. Following these briefings the company should finalize the program and develop an implementation plan. Specifically, compliance personnel should:
Review the options for the rollout of the program, including method of introduction and timing;
Discuss the form in which the program guidelines will be distributed to different groups of personnel (for example, the company may have decided by this point to prepare guidelines in staggered levels of detail, tailored to the level of understanding required of groups of personnel with different responsibilities. Administrative assistants, for example, do not need to understand specific legal requirements and the procedures in place to address them to the same degree as those persons who negotiate sales contracts); and
Assist in identifying targets for various levels of training, such as lawyers, key sales managers, designated compliance managers, finance personnel, and others, based on their involvement in the company’s operations.
The second part of implementation is the formal training of company personnel. This training can either be conducted by company personnel, if they have sufficient knowledge in the area, or by outside experts. Training should be designed to coincide with an employee’s position and the level of interaction that they have with export control laws and regulations. For instance, a company can include a general overview of export controls in both a new employee training package and annual training material for legacy employees, whereas in-depth training will be given to employees who are directly involved in the export process.
Once a compliance program has been finalized and implemented, companies should interact with outside counsel to support on-going day-to-day compliance needs. Although a company’s internal compliance personnel can be more than capable of supporting the company’s day-to-day needs, outside counsel can be integral in assisting with difficult regulatory questions that may arise and can take the lead on performing annual compliance reviews, as well as special inquiries when compliance anomalies are discovered. Using attorneys from outside the company provides the protection of privileged communications and documents under the attorney-client privileged and the attorney work product doctrine, as well as a level of independence that may give increased credibility to the results of the review when viewed by a regulatory agency.
Sometimes, a creative and strategic approach is the best method for designing, implementing, and evaluating the effectiveness of established compliance programs. While this approach is not appropriate in all settings or for all companies, it is a creative technique that is ideal for companies that want to explore alternatives to the more traditional compliance review model. Through this strategic approach, focused, on-site field testing can be developed and implemented. Field testing is a technique by which a company can sample, test, and evaluate its compliance program for the purpose of determining its strengths and weaknesses. Such field testing includes:
Interviews of selected employees—including those that serve in a “gatekeeper” or compliance function—and third parties;
The completion of anonymous surveys by employees, which test their knowledge of the company’s compliance policies and procedures and legal and regulatory controls, and their ability to recognize “red flags”;
Focus group discussions during which employees in various positions can openly discuss the risks they perceive in the company’s compliance program; and
A review of selected documents and records to test the effectiveness of the company’s compliance policies and procedures.
Through this innovative process, additional and different information about a company’s compliance program can be obtained, which might be missed with a more traditional compliance review. Specifically, reviewers can ascertain such intangible qualities as the company’s compliance culture and the perceived compliance “tone at the top.” Once the process is complete, a compliance review team will conduct an analysis of the company’s compliance program’s strengths and weaknesses and, based on the results, specific recommendations as to how the company can, where necessary, strengthen existing policies and procedures or establish new ones.
An effective EMCP can help companies streamline the coordination between its needs and legal requirements, thus ensuring that it can do business in an efficient manner without sacrificing the bottom line. As discussed, we recommend that compliance with export control be viewed less as a cost and more as a savings. Many companies have seen the benefits of having a comprehensive EMCP, and others have seen what can happen based on its absence. A fairly mundane compliance anomaly can easily be turned into an extensive regulatory investigation based solely on a company’s failure to establish and maintain an effective EMCP.
International Trade References and Links to Key Resources
Export Compliance Program Resources
Export Management & Compliance Program (EMCP), U.S. Department of Commerce, Bureau of Industry and Security: https://bis.doc.gov/index.php/documents/pdfs/1641-ecp/file
Export Management and Compliance Program Audit Module: Self-Assessment Tool, U.S. Department of Commerce, Bureau of Industry and Security (September 2011): https://www.bis.doc.gov/index.php/documents/compliance-training/export-management-compliance/10-emcp-audit-module-self-assessment-tool
Compliance Program Guidelines and Compliance Overview, U.S. Department of State, Directorate of Defense Trade Controls: https://www.pmddtc.state.gov/ddtc_public?id=ddtc_kb_article_page&sys_id=4f06583fdb78d300d0a370131f961913
Relevant U.S. Government Agencies
International Emergency Economic Powers Act: http://www.gpo.gov/fdsys/pkg/HMAN-112/pdf/HMAN-112-pg1123.pdf
Export Administration Regulations: https://www.bis.doc.gov/index.php/regulations/export-administration-regulations-ear
International Traffic in Arms Regulations: https://www.pmddtc.state.gov/ddtc_public?id=ddtc_kb_article_page&sys_id=24d528fddbfc930044f9ff621f961987
Office of Foreign Assets Control Regulations: https://www.treasury.gov/about/organizational-structure/offices/Pages/Office-of-Foreign-Assets-Control.aspx
Trading with the Enemy Act: https://www.gpo.gov/fdsys/granule/USCODE-2011-title50/USCODE-2011-title50-app-tradingwi
Lists of Prohibited and Restricted Parties: https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern