Export Compliance 101

Full transcript below:

Craig T. Ridgley

My name is Craig Ridgley. I am really excited to be here today to go through this Basic Export Compliance Awareness session with you.

This session is intended to create basic awareness of export and highlight some of the elements inherent in an export compliance program. The program has many, many compliances and we’re going to touch on some of these today.

But first, we’re going to start with the basics.

What is an export? It’s an actual shipment or transmission of items subject to the Export Administration Regulations out of the U.S. These can be done as physical shipments; intangible shipments—meaning over the internet or by a fax machine, or some other electronic means. And they can even occur in conversations over the telephone. All are possible exports. Okay. Exporting is not a right.

It is a privilege that the government can deny you, as one of their main tools when somebody violates the law is to get your export privileges denied. For some companies, that could be a door closer. And then there’s something called a re-export.

And a re-export is a shipment or transmission of commodity, software, or technology subject to the EAR, from one foreign country to another.

For example, from France to Germany. I know some folks are familiar with the EU. There’s no export in between EU member states. But from the U.S. perspective, that would still be a re-export from one country to another. So there are three primary jurisdictions involved in …

Oh, Heatherly, do we have poll results yet?

Heatherly Bucher

Absolutely.

Let’s take a look at that. So the first poll question was, “What is your company’s export compliance program level today?” And I tell you what, Craig, if you want to, I can share my screen. Hold on a second. If you can stop sharing for a minute, I will share and show everyone the results.

Craig T. Ridgley

Okay.

There you go.

Heatherly Bucher

Perfect. And let me show this because a visual is better than me just spewing it off.

So first poll, “What is your company’s export compliance program level today?” And we see actually, almost half don’t have a program today, Craig, that are on the call with us. And we have some 26% who are going to be creating a program, and 2% began this year. Oh, the number is changing a little bit. And then we have about 15% who have an established program. And then if we take a look at the second poll question, “What’s your personal level of knowledge in export compliance?”

So, Craig, this is a great group of people for your kind of Export Compliance 101, because most people here are actively learning about it.

Craig T. Ridgley

The three primary jurisdictions that regulate exports out of the U.S.

The first is the Commerce Department. Commerce Department has the Bureau of Industry and Security. It was formerly known as the Bureau of Export Administration. But after 9/11, they changed the name of the bureau to Bureau of Industry and Security. The name of the regulations has remained the same however: Export Administration Regulations.

Or otherwise fondly referred to as the EAR. The Commerce Department regulates 85% of those items that are exported out of the country. Okay. The other jurisdiction is the State Department, the Directorate of Defense Trade Controls, DDTC, and they manage and promulgate the International Traffic in Arms Regulations, or the ITAR.

The DDTC controls 15% of those items that are exported out of the United States.

And then there’s the Treasury Department and the Treasury Department’s Office of Foreign Assets Control, and they manage the Foreign Assets Control Regulations.

Now, some of you might be wondering, okay, Commerce does 85% of the stuff that leaves the country. State Department does 15%. What’s left for the Treasury Department to do? Now, if I were doing this face to face, I’d ask somebody a direct question: “Give me your thoughts.” But I have to tell you, the Treasury Department controls the actions of a U.S. person. As a U.S. person, if I’m driving through Switzerland and my rental car is running out of gas, I have to drive past the gas stations that are owned by Syria.

I can’t stop at a Syrian-owned gas station and fill up my car. I have to keep moving. Or if I’m in Mexico and I want to buy a Cuban cigar, I have to not buy it. Or if I do, I will simply burn the evidence. Anyway, those are the three jurisdictions. We can talk more about those another time.

What is export determination?

This is what you have to do every time you’re going to export something. And it’s a process by which the legal authority to export or re-export an item is determined. This determination is made by considering several factors, all of which must be completely answered before the export.

And it’s really critical that you have these answers before the export. If you don’t have all the answers and you export it anyway, you really run the risk of a violation. And we’ll find out later in this presentation how bad that can be for you.

So, what are the export determination factors? Well, the first is, what is it you want to export? Well, in export control, this is done by classification. This classification is either under the EAR or it occurs under the ITAR. There are different systems, different ways of identifying the classification, but in export control terms, you don’t know what you’re exporting until you have it classified.

The Commerce Control List, when you print it out, it’s a 4-inch, 8.5-by-11-inch binder. Meaning 4 inches thick and 8.5 by 11. And those are all the things that are on the Commerce Control List. Under the ITAR, the USML, the United States Munitions List, it’s considerably smaller. That’s because it’s very focused on defense articles and doesn’t have the broad scope that the CCL does.

Where is it going?

This is where you do embargo screening and your license determination. Embargo screening is, are you going to one of the four comprehensively embargoed countries? Syria, Iran, North Korea, or Cuba? Licensed determination, on the other hand, is when you’ve got your classification, you know what you have, and you know where it’s going, does that thing require a license to go from the U.S. to that particular country? So you have to know exactly where it’s going, who the ultimate consignee is, and who the end users are if they’re different than the ultimate consignee.

The next factor is, who do you want to export it to? Here we do Restricted Party List Screening to identify parties to the transaction or attempt to identify the parties to the transaction.

Most countries in the international arena keep lists of bad guys. Bank of England has a list. Australia has a consolidated screening list. Japan has a list that they maintain. The U.S. has dozens of lists of bad guys in one group or another. And you want to make sure you’re not dealing with somebody that’s on a list. You certainly don’t want to deal with somebody who’s on a U.S. list.

If they’ve been denied export privileges, or if they’ve been debarred from government contracts, you don’t want to deal with them. If you do, you are in violation and you will get penalized. And we’ll talk again more about penalties a little bit later. What are they going to use it for? This is called End-Use Screening or EPCI Screening.

EPCI stands for Enhanced Proliferation Control Initiative. It’s a screening that’s done to make sure that your customer is not using your product for the indirect or support of weapons of mass destruction, or IEDs, improvised explosive devices. And added to that, lately, we’ve got Military End Users and Military Intelligence End Users that we screen for as well.

Now, those last two, the MEU and the MIEU list, only pertain to Venezuela, Russia, and China. So if you’ve got something that you’re going to send to one of those countries, you need to make sure it’s not going to a Military End User, or a Military Intelligence End User. And as a result of these export determination factors, what is the possible export authorization?

NLR, No License Required, a license is required, but there’s a license exception, or you’re just stuck and you have to get an export license. So, how do we do this if somebody wants to ask a question about a slide? Do they raise their hand, or do we save that up for the end?

Heatherly Bucher

We save it up to the end, but it’s a great place to pause a minute and remind everyone that please, feel free to put your questions in, and we will get to some of them at the end. If you have a great general question you think a lot of other people have, it can be upvoted. Craig will also be showing at the very end, he’ll be showing his contact information. So if you have more detailed questions beyond this, then you can contact Craig directly.

All right.

So, what is a dual-use item?

Craig T. Ridgley

A dual-use item is under the purview of the Commerce Department, the Bureau of Industry and Security, the EAR, and it’s on the Commerce Control List, the CCL. The Commerce Control List is a list of dual-use items. And a dual-use item is one that has, primarily, a benign civilian use, or …

and, I’m sorry, not or, and it has the ability to be used in a military application or strategic civilian use. Read CIA when I say, strategic civilian. The perfect example of that is a laptop. Designed for a benign civilian application and what most of us work on. But you add a little bit of a ruggedized case and some special software, and it can easily be used by the military for an actual military application.

That’s a dual-use item. Again, this represents 15% of everything that’s exported out of this country are dual-use items. A munitions item is regulated by the State Department.

We’ve talked about the DDTC and the ITAR. Munitions are listed on the United States Munitions List. That’s the list that is ostensibly prepared and approved by the President of the United States. Things only get on or off there with his approval, or the approval of those he delegates that responsibility to. It’s a list of munitions. It’s guns, it’s a fighter aircraft, it’s submarines. Whatever you can think of that’s used in a war, it’s on this list of munitions, including various forms of software and other seemingly unrelated items to fighting a war.

A munitions item is one that has been designed, specially designed, or modified for military application.

It may or may not have a civilian application. The first Humvees that were made and sold to the general public in the U.S. were actual versions of military Humvees. And military Humvees can be used in a military application, were designed for a military application. So those first Humvees were USML items, even though they were being driven on the street by civilians. And whether or not it has a civilian application has nothing to do with the fact that it’s a known munition.

It will be in a munition if it was specially designed or modified. Recently, after several years, there was an Export Control Reform Initiative in the government, where the State Department and the Commerce Department got together and wanted to move some of the munitions items from the USML to the CCL.

They were moderately successful in doing that. It’s questionable whether or not it was legal, but no one’s challenged it yet. So some former USML items are on the CCL, and I’ll reserve my opinion of how well it worked, actually. That’s a munitions item. Now, we’re going to talk about license exceptions.

When you have an item that is going to cross a border and you determine that it needs a license, the next thing you do before you apply for that license is go look and see if you can find a license exception that you can use. That will allow you to export that in lieu of having an export license. These are the transaction-specific license exceptions that are available. I will just mention a couple.

STA, Strategic Trade Agreement, is a very valuable license exception. And ENC, Encryption Commodities, and Software is very useful for the ubiquitous use of encryption in today’s products. These are only used where the conditions for their use are met completely. You have to make sure that you can tick off all the requirements.

If you don’t and you export it anyway, you would be in violation. It would be a license violation and that would be a bad thing. Some require the approval of BIS prior to their use. Some of the ENC sub authorities require a BIS approval. And some of the other ones, STA, APP, for example, do require a BIS approval. And again, these are used in lieu of filing for that export license.

And these are not all of them either, by the way. These are a fair majority of them, but not all of them. And I’ll also mention that the U.S. is the only country that has licensed exceptions to this extent. In the U.K. or formerly the EU, there was a general license you could get that sort of worked like a license exception. You just file for it once, but you can use it repeatedly.

But basically, the U.S. is the only country that offers you these many opportunities to not have to go get a license. We’re fairly generous with our export controls in the U.S., far more so than Germany or the U.K., other countries. One term that’s used frequently in exporting is the word “technology.”

And it’s a defined term in the export regs. And I’m going to just read the definition right out of the regs.

“Technology” means information necessary for the development, production, or use in the operation, installation, maintenance, repair, overhaul, or refurbishing, other terms specified in ECCN’s on the CCL that control technology. That’s really the whole definition, and I’m going to try and explain one aspect of it here. It’s information that’s necessary for the development, production, or use of a product.

We’ll stop there. Meaning, if it’s information that is not necessary for its development, it’s not necessary for the production, then it doesn’t meet the definition of technology. There’s a definition of use technology that includes operation, installation, maintenance, repair, overhaul, or refurbishing. Actually, it’s and refurbishing. And all of those things have to be in one bucket to be considered use technology.

All that information needs to be in one bucket to be defined as use technology. Because that was so difficult to do, the government decided to include the individual pieces in the definition of technology, so that they could call out specific types of technology that would have formerly fallen under use technology definition. But they want to control it individually, or in groups like installation, maintenance, and repair.

It’s a little confusing. If you have any questions about that, please feel free to email me or give me a call, and I can go over it in detail. Note one to the definition of technology.

It means technology may be in any tangible or intangible form, such as written or oral communications, blueprints, drawings, photographs, plans, diagrams, models, formulas, tables, engineering designs, and specifications. So on and so forth. That all can be technology, as long as it’s necessary for the development or production of a product. And it can be revealed through visual inspection as well.

Somebody taking a plant tour can be exposed to technology. Like I said, technology is a defined term and it’s not to be confused with given, the Apple iPhone technology in the general term. What we mean here is what can be defined as information necessary for the development or production of a product. Okay.

Now, we’re getting really esoteric. Deemed exports. What is a deemed export? It is a release or exposure to technology or software source code to a foreign national, a non-U.S. person in the U.S.

And it’s deemed to be an export to the home country of that foreign national. I’ll give you all a minute to think about that. Meaning, if I show some source code to a person from India, and we’re in the United States, because it’s source code and because it can be read and understood, it is deemed to be an export to India. And the same could be applied to a specification, or any of those other things that I mentioned before were examples of technology.

If that happens in the U.S. and there’s a non-U.S. person, then it’s a deemed export to the home country of that foreign national. A deemed re-export is the same thing occurring in a foreign country to a foreign national of yet another country.

So if there’s somebody from Germany in France, and the French person exposes the German person to a specification that’s controlled, that would be a deemed re-export from France to Germany. Deemed exports are relevant to the hiring of foreign nationals in the U.S. and abroad. And they’re also relevant to visits made by foreign nationals. So if you have foreign nationals in your company and you’re working on controlled technology, you may have to stop and get a license for that foreign national to be exposed to controlled technology.

So you need to put something in place so that when foreign nationals come to visit you in the U.S., that you have the proper protocols in place to make sure that no inadvertent releases occur to that visiting foreign national. Deemed exports are very difficult to manage and it takes some work to make sure that you’ve mitigated your risk. So with regard to deemed exports, I said a non-U.S. person.

Who is a U.S. person? It’s better to ask it that way. A U.S. person is one who has a permanent right to reside in the U.S. There are three types of U.S. persons: a U.S. citizen by birth or naturalized, a foreign national with a permanent resident alien visa, aka green card, or a foreign national granted asylum in the U.S., or as a protected person in the U.S.

For example, Cubans who make it to U.S. soil immediately register and they become a U.S. person because they’re under the protection from the Cuban embargo of 1963, still.

We specified that it was non-U.S. persons. Do we have the right to ask a person about their nationality? Let’s say we’re thinking about hiring somebody. Can we do that? The answer to that question is, yes.

The U.S. equality laws apply to U.S. persons only, and federal law permits the question when required by law. Well, the Export Administration Regulations require the question, but the bigger question is, how would you obtain this information without violating a U.S. person’s right?

If U.S. equality laws apply to a U.S. person, then how do you do that? How do you not say, where are you from? Or where were you born? Or what nationality are you? Well, you ask the person, do you have a permanent right to reside in the U.S.? That’s a perfectly legitimate question. Doesn’t ask where you’re from, doesn’t ask what your nationality is, or your religious orientation, or any of that. If the answer is yes, the deemed export rule does not apply and you don’t need to inquire any further.

If the answer is no, the rule applies and you may proceed with obtaining the necessary information. Simple as that. Once you get that information, and let me see if I can explain why this works, what it does, you’ve got a person applying for a job. They’re going to work on a design of a new processor chip. That processor chip would be controlled under ECCN 001, which is controlled by a lot of countries.

Meaning, it requires a license to go to certain countries. And to certain countries, there are no license exceptions that it can be. And if your applicant is from one of those countries where there’s a license requirement and a license exception can’t be used, then you need to get a license for that person before you expose them to any of your controlled technology. Okay. Hope that explains that. Now, we get to the interesting stuff.

And by the way, I actually saw several years ago, some news footage that looked just like this picture. It occurred here in Tampa—that’s where I live and work out of my home. There were several vans that pulled up. FBI, Office of Export Enforcement, and local authorities, pulled up in front of a building. The officers got out of their cars, went into the building, got all of the employees out of the building, put them in a parking lot.

Then they went back in and started carrying off every cabinet, every bookcase. Anything that contained information was being pulled out, computers, everything, and put into the vans. And then finally, the CEO of the company was led out of the building in handcuffs. I’m not trying to scare you. I’m just saying it can happen. In his case, he was willfully exporting ITAR-controlled information to, I think, it was China.

And he was doing it willfully, with full knowledge. You really have to work hard to get arrested for export violations. You have to go out of your way. But from this point, I’m going to show you what the consequences actually look like.

For BIS, it’s a civil violation. Meaning, oops, if you make a mistake, it can be up to $500,000 per violation and processed administratively. These are penalties involving national security items. You can also be denied your export privileges. Criminal violations are up to a million dollars, or five times the value of the exports. And for the individuals involved, officers, directors, or agents, it can be a quarter of a million, a personal fine, and/or 10 years in prison.

ITAR violations are very similar.

Again, this is part of the Export Control Reform. They tried to sync everything up between the two jurisdictions. Up to $500,000 civil penalties can be imposed, in addition to criminal penalties. That’s a big one. And debarment from government contracts. Criminal violations, up to a million [dollars] or five times the value. And again, $250,000 or 10 years, and/or 10 years for the individuals involved. OFAC, if you recall the Office of Foreign Assets Control, their administrative penalties are up to $65,000 per violation.

Their criminal corporate fines are up to a million dollars. For individuals in a criminal situation, $250,000 and/or 20 years in prison. There was a recent in export compliance terms, recent is a few years ago, JPMorgan Chase was fined $880 million for money laundering. Believe it or not. So the Office of Foreign Enforcement and the Justice Department are changing the focus of their prosecutions.

They’re actually going after specific violating individuals. In the old days, they would just prosecute the company and fine the company. They will no longer allow companies to take the fall for their employees’ bad actions. So it’s getting a little more serious out there for people responsible for export compliance. Now, this isn’t really up-to-date information, but it’s hard getting anything up to date from the government in this arena.

But you can see if you go back to 2009, 33 individuals and businesses were convicted. Criminal fines totaled under half a million, and 886 months of imprisonment. Jump up a little bit, go to 2013, 52 individuals and businesses convicted. $2.6 million in criminal fines, $18 million in forfeitures, and about the same amount of months of imprisonment.

And if you look on the administrative side, you can see that it’s steadily going up as well. $60,488,000 in administrative penalties in 2014. So this just is to show you that the government really takes export compliance seriously. And I have to tell you that the Office of Export Enforcement is a very small organization, very small.

And especially in government terms. If you take ICE or CBP, there are thousands of ICE and CBP agents, thousands of them, and they’re all working their job to secure the borders or secure stuff that either comes into the country or goes out of the country. And they do all the enforcement. The Office of Export Enforcement being so small relies on companies to self-enforce, to obey the laws, to know the regulations, and to abide by those regulations.

Because they just don’t have the staff to go out and enforce it like ICE and CBP does. So it really is something that you, as legitimate international players, need to make sure you do your due diligence and have your compliance programs in place so that you don’t have to worry about this stuff.

And the key to export compliance is the program has to be developed such that it’s completely transparent. And I don’t mean that like it’s used lately. Meaning, it needs to be invisible. It needs to run in the background and not be seen until there’s a problem. And that’s how it should be designed. You want it there, you want it running. You want the processes there so everything just flows smoothly. And only when there’s a hiccup do you have to go and look at your program.

At least, that’s the way I approach export compliance programs for my clients.

And I’m going to tell you about one of the 10 General Prohibitions. General Prohibitions One through Nine basically establish the basis for all of the EARS. Nine rules drive the Export Administration Regulations. General Prohibition 10 draws a very bright line between what is processed administratively versus what is prosecuted criminally. General Prohibition 10 says, “You may not support or proceed with an export if you know or have reason to know that a violation has occurred, or is about to occur.” So if you know that you exported something illegally and you send a replacement part for that thing, you’ve just broken the General Prohibition 10.

In lieu of that, the EAR does not contain any regulation that requires a company to report itself.

However, if a company proceeds with, or supports in any way, an illegal export, that company is in violation of General Prohibition 10, by definition. Violations of Prohibition 10 will be prosecuted criminally. BIS strongly recommends that companies report all of their violations through the process of voluntary self-disclosure, the VSD. That’s a process where you basically document what happened, what you’re doing to correct that immediately, what long-term remediation programs you have.

And basically, you fall on your sword in front of BIS. Generally, VSDs result in warning letters. The letter will read something like, “Yes, we found that there was a violation, but we’re not going to take any further action with that.” Basically, they’re saying don’t do it again. If you do, we’re going to throw the book at you. Most VSDs don’t result in financial penalties.

But if they do, they’re typically 35% of what is legally possible for them to fine you, 35% of what the maximum could be. So voluntary disclosures are really important.

They really save you a lot of money if you choose to report a violation. You can choose not to report a violation and just fix the problem, and make sure it doesn’t happen again. And actually, I’ve talked with OEE and they’re just fine with that decision because that’s the result they want, is for you to not violate again. And if you take the steps necessary to make sure that doesn’t happen, they’re okay with that.

Unless of course, it was willful. In which case, they like to take off the gloves. It should also be noted that if any agency of the federal government finds out about your violation before you do a VSD, the VSD is off the table and you can’t submit one. Okay.

So this is a phrase from the Office of Export Enforcement, “Don’t let this happen to you, or your boss.” Hopefully, you’re not the boss. And there you go.

There’s my email address, [email protected]. It’s long. I know, it’s a pain to type out, but it’s easy to remember. And there’s my phone number. Please feel free, really, to email or write. I’m not going to charge you for a phone call. I’m not going to charge you to answer an email. I’d rather you just ask the question.

Heatherly Bucher

Thank you for joining us.