David Yang and Christian N. Curran
Overview of the U.S. Export Control Regulatory Regime
The U.S. export control regulatory regime is generally comprised of three primary, interrelated components—commercial exports governed by Export Administration Regulations (“EAR”) and managed by the Department of Commerce, Bureau of Industry and Security (“BIS”); military or defense exports governed by the International Traffic in Arms Regulations (“ITAR”) and managed by the State Department’s Directorate of Defense Trade Controls (“DDTC”); and sanctions issued by the Treasury Department’s Office of Foreign Assets Control (“OFAC”). In addition, the Department of Justice National Security Division (“NSD”) may get involved if a violation is potentially criminal.
While each of the components has its own specialized application, they each govern the export of controlled items, which includes any transfer, release, or other dissemination of controlled items or information, including shipments, letters, faxes, phone calls, emails, or downloading controlled items and information in connection with a foreign country or national. While U.S.-made items are certainly covered, foreign-produced items that contain some U.S. content may also be covered. Covered items require licenses from the cognizant authority before they can be exported, unless the export relates to an embargoed country or restricted party such as Specially Designated Nationals (“SDNs”), in which case the export is banned. Violations may result in civil or criminal enforcement actions, costly penalties, and sanctions.
Each component of the regulatory regime comes with its own specific issues that companies should be cognizant of.
- EAR
The EAR covers the export of commercial products that have the potential for dual use—meaning the item has both a commercial and military use—and as such, covers a broad range of products, hardware, software, technical information, and data. The EAR’s Commerce Control List identifies controlled items and segregates them based on sensitivity and security considerations and applies more lenient or stringent controls depending on their risk classifications.
- ITAR
The ITAR broadly governs the transfer of all defense articles, hardware, and technical data, including software and defense services, and requires entities involved in such transfers (which can include manufacturers, exporters, and their brokers or financiers) to register with the DDTC. ITAR-governed items are listed on the United States Munitions List, but the list is not exclusive and routinely changes. ITAR-governed entities are also subject to mandatory reporting of payments of fees, commissions, and political contributions above certain amounts.
- OFAC
Finally, the U.S. government, through OFAC, implements various sanctions programs, including asset freezes, against other countries and foreign nationals. OFAC has broad investigatory powers, and determinations issued by OFAC can result in significant monetary penalties, and also impact a company’s professional responsibility and ability to perform government contracts. Unlike the other rules, there are generally no exceptions to the embargoed countries or restricted parties (e.g., SDNs) dictated by OFAC.
Key Business Considerations for Your Company
While on the surface these rules may appear straightforward, they can be complex and difficult to navigate in practice. Manufacturers who make commercial products sold overseas may unwittingly be subject to the EAR if the goods can be deemed to have a dual use and, thus, fall under the EAR’s list of controlled items. It also may not be obvious to a purely domestic manufacturer that it can be subject to export rules if one of its buyers, though located in the United States, brokers or distributes your product overseas. Moreover, the export control regulations also apply to controlled information, not simply to physical goods, which expands the potential application of the regulations. For example, the regulations may impact cloud service providers whose physical footprints (i.e., their server farms) are located in the United States, if the controlled data residing on the cloud can be accessed overseas or domestically by a foreign national.
Too often, companies lack the visibility into their relationships with their customers, business partners, and agents needed to understand whether those relationships raise any issues covered by U.S. export control regulations. Indeed, as U.S. companies continue to expand, any physical or electronic communication with a foreign office or affiliate may constitute an export—for example, even parties who are employed by the same U.S. company and discuss controlled information within the United States are not exempt from the export rules if one or more individuals are foreign nationals. Companies should assess their organization, agents, partners, supply chains, and end users to fully understand the nature of their business, and evaluate whether they may be subject to the export control regulations. Without this assessment, companies run the risk of violating the export control regulations, failing to make appropriate disclosures on a timely basis, and potentially incurring significant penalties and sanctions.
Whether you are conducting an export assessment for the first time or reviewing your existing program, counsel should be involved to preserve privilege and assist in navigating this complicated field. Only after a proper assessment has been completed, and your company understands its risk profile, can your company appropriately evaluate a risk mitigation strategy for potential incidents, and implement measures for addressing violations or enforcement actions by the government.
2 thoughts on “Managing the Export Controls Minefield (Part 1 in a Series)”
Comments are closed.