Q: How do I know if one of my products requires an export or reexport license?
A: There are three primary export control regimes that apply to military, nuclear, and commercial products, software and technology – those administered by the U.S. State Department, the Nuclear Regulatory Commission and the Department of Energy, and the Department of Commerce. Classification is the key to determining which regime applies and whether an export license is required.
Most companies sell items that are “dual-use” in nature, those that can be used for commercial or military uses. These items are regulated by the Department of Commerce and comprise most of the goods produced by the U.S. economy. Most “dual use” items do not require an export license (think pencils, hammers), but others may require the use of an export license or license exception before being shipped to certain destinations. Too many people assume that the products they export do not require a license for export. The only way to determine if your dual-use products require a license is to classify them according to the Department of Commerce’s Export Administration Regulations (EAR). An export license is also required when an exporter has information that the product, service, or technology will be used in connection with WMDs, missile, or nuclear propulsion end uses. Thus, even a smoke detector that a U.S. exporter “knows” will be used to help develop a chemical weapon in certain countries would require an export license.
If you export military products, you will probably need to register with the U.S. State Department and may need to obtain export licenses for overseas sales pursuant to the International Traffic in Arms Regulations (ITAR). If you sell items connected to nuclear power or weapons, you may need an export license from the Nuclear Regulatory Commission or the Department of Energy.
Exporters should classify all of their products, software, and technology prior to export. Resellers, distributors, and retailers should collect, track, and monitor classification information for all products purchased from third parties that may be exported. Manufacturers and producers should also track classification data for inputs, equipment, and other items that might be transferred internationally.
Q: How do I manage sanctioned country risks?
A: The U.S. maintains broad sanctions against Cuba, Iran, North Korea, Sudan, and Syria. Other countries, individuals, and entities are subject to more targeted sanctions regime. Each sanctions program is unique, but U.S. persons and companies are generally barred from engaging in any transaction involving sanctioned countries, including the provision of U.S.-origin goods, services, or technology or dealing in any sanctioned country origin items. To prevent unauthorized reexports of your goods to sanctioned entities by third parties, your export documentation should include a destination control statement. Training on “know your customer” due diligence and red flag diversion screening should also be a part of your regular export compliance training.
If your non-U.S. affiliates trade with selected sanctioned destinations, stringent procedures must be in place to ensure that transactions and dealings exclude the involvement of U.S. persons and most U.S. origin products, technology, or software. Remember that U.S. embargo and sanctions laws are very broad, and that recent expansions of the Iran sanctions program now subject non-U.S. companies, including overseas U.S. subsidiaries, to substantial penalties for most transactions and dealings related to Iran.
Q: My company buys a variety of advanced equipment for internal company use. What are the export control considerations of moving that equipment or reselling it to a third party?
A: Items and equipment procured for internal company use often fall outside typical sales channels and export control procedures. As a result, these “non-core” products can present unique export control risks for companies with otherwise very good compliance systems. Advanced production equipment and I.T. network security equipment are typical examples of non-core items that can trip companies up. Be sure to incorporate export control procedures in your procurement and equipment disposal processes.
Q: What are the risks of close engineering collaboration with non-U.S. suppliers?
A: Information related to the production, development, and use of export controlled products and software is also controlled for export under U.S. law. Exporting that data to destinations outside the U.S. or allowing foreign nationals in the U.S. to gain access (called a “deemed export”) may require the use of a license or license exception. Close cooperation with an overseas vendor on development or production can result in the inadvertent release of controlled technical data by engineers during oral conversations, presentations, emails, and exchange of documents. Engineers love to share data and collaborate. That can be great for product development, but can also result in export control violations. To prevent unlicensed exports, you should identify and control access to export controlled technical data stored on your systems and train employees, particularly engineers and procurement staff, on applicable technology controls.
Q: What about hosting my company’s data on third party “cloud” servers?
A: Under current export control laws, you are generally responsible for what happens to your data once it’s uploaded to the cloud. For example, if you house controlled production data on a third party server, and that data is hosted, backed up, or moved to a location outside the U.S., you may be responsible for an illegal export of technical data under the EAR or ITAR. Many cloud computing service providers advertise as being ITAR or export control compliant, but under current law, it is still a ‘buyer beware’ environment. Mere encryption of data is not enough to permit exports of controlled data without a license. Any data hosted by a third party should be classified under export control laws and contracts with service providers should be carefully reviewed and constructed to define responsibilities and reduce your liability as much as possible.
And don’t forget about other “traditional” I.T. issues. I.T. and help desk personnel often have extensive access to data stored on your system. I.T. personnel must be screened for deemed export issues, just like engineers and other employees. If you outsource your I.T. to a third party (or are considering such a move), ensure that contracts specify export control obligations in hiring and deemed export licensing, but do so carefully to avoid employment law issues. Implement and utilize contractual auditing rights.
Q: Is Export Control Reform (ECR) really a big deal?
A: It depends on your business. The ECR initiative is retooling the controls applicable to certain “military” items by transitioning less sensitive military items from the very restrictive International Traffic in Arms Control Regulations (ITAR) to the more permissive Export Administration Regulations (EAR). The benefits (and complexity) will be the greatest for manufacturers and exporters of parts, components, and less sensitive systems that are designed or modified for military end use. Many of these items will move to the EAR, which will make exporting, especially to U.S. allies, much easier.
The changes also introduce new complexity, including new definitions for fundamental terms, like “specially designed,” new licensing exemptions (like the revised Strategic Trade Authorization, STA), and updated control lists in the ITAR and EAR. The first stage of ECR became effective October 15, but many of the jurisdictional changes are subject to grandfathering provisions for companies that want to make a slower transition to the EAR. You should review the changes made effective October 15 and keep an eye on upcoming final rules to ensure your company both takes advantage of the new exemptions and avoids any new pitfalls.
Q: What are some export control “best practices”?
A: We’ve noticed that top-notch compliance systems, regardless of industry and company size, include some common elements. First, senior management understands, supports, and monitors compliance. Second, compliance is a core aspect of company culture, where all personnel understand that compliance is a part of their job responsibility. Third, well-trained employees are informed and empowered to be vigilant and vocal in identifying and mitigating export control risks. Fourth, compliance and legal personnel get out to facilities and conduct regular, rigorous auditing. Fifth, a mix of automated and manual business process controls balance efficiency and redundancy to prevent compliance slip ups. Sixth, dynamic compliance systems evolve and adjust to the changing risk and business landscape as your company grows and changes.
Finally, companies with good systems seek outside help from experts from time to time. The rules are so complex and are changing so quickly that some level of expert help can reduce risk and help make your system more efficient.