A subject that receives little attention (academically or in practice) is the intersection of three distinct, yet often overlapping, compliance areas: (1) data privacy; (2) information security; and (3) export compliance.
For example, a global company that provides cloud services might host technical data that is potentially subject to U.S. export regulations. It is quite likely that this company has not given much thought to whether it is in compliance with U.S. export control laws, much less built a compliance program to assess and address potential risks. This is understandable, given that the term “export” is normally associated with the shipment of physical goods to foreign markets. Companies whose only “product” is intangible (in this case, providing IT infrastructure for the management of technical data) are unlikely to think of themselves as “exporters.”
This view, however, is shortsighted and potentially dangerous. In reality, the U.S. export control regime is so vast that it encompasses many transactions that, at first glance, would not appear to be “exports.” For instance, “release of controlled technical data” to a non-U.S. employee might, in and of itself, be considered an export violation.
For this reason, companies that handle large quantities of technical data must, at a minimum, be aware that they may be subject to U.S. export controls. Even if a company has implemented a sophisticated compliance program to protect personal information in accordance with U.S. and EU law, it may not have sufficiently addressed its potential exposure to U.S. export regulations.
With thanks to Paul Divecchio of Divecchio & Associates, and a series of articles published by American Shipper, we have put together a list of “best practices” for companies seeking to build and implement an effective export compliance program.
General Principles
- Purpose of an Export Compliance Program (ECP): to facilitate business in accordance with regulations, not to be an “internal police force”
- Two core objectives in developing an ECP: (1) risk avoidance; (2) increase international marketing opportunities
- ECP must be “implementable” (not just reference materials)
- Key to success=executive commitment
- Companies want substantive and practical guidance re: establishment of policies and procedures, not “excerpts” from different regulations
- Software solutions (e.g., Visual Compliance/M.K. Data Services/OCR/Vastera/Global Trade Services, Dow Jones %50 vetting) are extremely helpful, but are only one component in a broader ECP: you need “skilled human intervention”
- Screen every party to a transaction (e.g., banks, shipping companies, etc.)
- Must communicate globally that any employee who violates corporate export policy will be held personally liable
- Vast majority of work should be done by company through internal efforts (even if you hire an outside consultant)
- Global compliance is crucial (especially for affiliates, but to some degree for contractual resellers)
Awareness and Training
- The export arena is in constant flux–accordingly, it is essential to keep current.
- Suggestions for keeping current: the “Daily Bugle;” weekly conference calls involving (among others) the export compliance officer, the president of international development, and external consultants; the “FCPA Blog”
Relationships with Regulators
- Even if there is a violation, the presence of a strong ECP may be a mitigating factor when determining penalties
- Regulators should be viewed as “partners”
- Should proactively report suspicious activity
- No obligation to do so, but the goal is to be a good “corporate citizen”
“Release of Controlled Technology” to Foreign Worker under EAR
- “Deemed Export” (two ways to conceptualize):
- the obligation to obtain a license from BIS before releasing controlled technology to a foreign person; or
- a release of controlled technology to a foreign person is “deemed” to be an export to that person’s country of nationality (this also includes the “know how” re: use, production, and development of a controlled item; may include “visual inspection” of controlled technology by the foreign national)
- I-129 (petition for a non-immigrant worker): box added in 2011 to ask whether a license will be needed to release technology to a foreign worker (ask about citizenship status during application stage)
- Once the item is identified, you need to “firewall” it from foreign nationals
- Need to monitor the status of foreign employees and controlled technology (involve ECO, HR, and mgmt.)
Foreign Affiliates
- ECP should extend overseas to cover foreign affiliates (subsidiaries, branches, etc.) that handle controlled items
- Need centralized oversight (e.g., an ERP system that screens all transactions against U.S. and non-U.S. export regulations)
- Need “buy-in” from senior foreign officials: need strong statement from highest level in U.S. that says all employees will be held accountable for violations
- Identify point of contact for foreign entity