Risk Management in the Export Controls Minefield (Part 2 in a Series)

David Yang

As the recent Bright Lights USA case demonstrates, export violations continue to be met by aggressive enforcement actions by U.S. government authorities. In Bright Lights USA, the U.S. State Department’s Directorate of Defense Trade Controls (“DDTC”) charged and fined a small manufacturer $400,000 for violating the International Traffic in Arms Regulations (“ITAR”) by exporting, without obtaining a license, engineering designs and drawings abroad for minor vehicle spare parts (such as rubber seals, gaskets and grommets, etc.) in connection with bids sent to foreign manufacturers to produce the parts for Bright Lights to resell to its commercial and public sector customers. Although the parts were commercial items and many other similar parts in the category in which Bright’s Lights conducted business had transitioned off of the U.S. Munitions List, the company had failed to update its list for parts that were still controlled. The DDTC found that the violations had occurred in large part due to the company’s “significant training and compliance program deficiencies.”

The Bright Lights case demonstrates that even if the violations do not warrant heavier sanctions or criminal prosecution, the U.S. government will pursue less punitive remedies, such as substantial fines, regardless of intent or the sensitivity of the items that were improperly exported, and underscores the need for companies of all sizes that deal in controlled items, whether they are commercial, military, or quasi-military in nature, to have an ITAR compliance program in place across the organization to ensure that stakeholders are cognizant of the ITAR requirements, apprised of any changes in law or procedures, and have documented processes that employees are directed to follow to avoid inadvertent disclosures of controlled items.

In Part 1 of this series, we addressed the regulatory and definitional landscapes for controlled items, including the principal government enforcement agencies that patrol these often interrelated regulatory areas.  In Part 2, we go over five best practices that your company should consider and stack against your existing compliance programs to evaluate any risks, weaknesses, or gaps in your existing plan, or in the event your company does not currently have a compliance program in place, to consider promptly incorporating in developing and implementing a compliance program. A compliance program, tailored to the specific needs, business lines, and operational structure of your company is an essential risk mitigation tool that will substantially reduce, if not prevent, an inadvertent disclosure of controlled items and can be doubly useful as a mitigating factor when negotiating a resolution with government authorities in the event of an unauthorized disclosure.

1. Find the Plan That Suits Your Company

Unfortunately, there is not a one-size-fits-all compliance plan for companies. Rather, each company whose operations involve controlled items will need, and best be served by, developing a plan that is tailored for their business needs and risk tolerance level. For example, a company whose business lines heavily involve the use, access, and distribution of controlled items will likely require a more comprehensive compliance program, including, as appropriate, specific procedures and even dedicated forms, than a company that only seldom works in this area. However, despite the lack of a generic blueprint, all companies whose businesses touch on items that are controlled or even potentially controlled by U.S. export restrictions, should have a written compliance program that, at a minimum, includes an executive management statement that the company takes its export obligations seriously and expects and empowers its employees to do so as well on a proactive basis to resolve issues before they become problems. Although only the first step, this fundamental corporate message (which is often included in a broader company code of conduct that the company will abide by regarding the other serious matters) is not only an example of good corporate governance, but it can help mitigate damage by showing the government that the company takes its obligations seriously in resolving an investigation or enforcement action. Along with other components in a documented compliance plan (discussed below), an executive statement from the highest levels within the organization can be used to rebut an assertion that the company acted recklessly and can serve as evidence that the company has robust and systematic controls in place, takes its compliance obligations seriously, and that any violation was the result of a rogue actor within the company. Such indicia can potentially mitigate and reduce the penalties assessed by the government or persuade the government to defer or not pursue more serious enforcement actions such as sanctions or criminal proceedings.

2. Considerations for an Effective Compliance Plan

As noted, there is no one-size-fits-all compliance plan when it comes to export compliance. Nevertheless, there are some common practices that a company, regardless of size or industry, should consider in developing its compliance program. In addition to a broad executive statement, companies should implement a more detailed policy designed to implement the management message. Companies of all sizes should have a policy on export controls that defines, at a minimum, the relevant definitions and legal standards and requirements when dealing with controlled items and foreign nationals who may work at the company. For example, a policy should define the controlled items under the ITAR and related export regimes instituted by the U.S. government, identity a person or persons responsible for managing the company’s export matters, including whether an export is controlled, a license is required, or an exemption applies, and communicating with the relevant authorities regarding such proposed disclosures overseas or to foreign nationals in the United States.

Moreover, to the extent your company employs foreign nationals who have not been cleared to access controlled information, the policy should consider whether sufficient firewalls are in place to prevent unauthorized access to that information by those individuals. And, if a foreign national who was not initially hired in a role that contemplated the access or use of controlled information has changed to a role within the organization that now does, your policy should have a process to ensure that the individual receives the necessary licenses and training on the access and use of controlled items. Because fluid situations may arise, an effective policy will benefit from inviting input from and buy-in of multiple stakeholders across the organization, including legal, human resources, engineering, and other functional areas whose tasks directly or indirectly impact or relate to controlled items. An effective policy must reflect how your company actually operates so that clear lines of communication and responsibilities can be properly established, implemented, and monitored.

In addition, depending on your export volume and activity, your company may also benefit from having specific procedures and detailed forms or instructions for employees to use when dealing with controlled matters. In this regard, unlike a policy, which provides guidance at a higher level, a procedure will set forth the specific processes, channels of communication and responsibility, and persons designated for determining whether information or a product is subject to controls or restrictions and, if so, the steps needed to process these items with government regulators to ensure that the proper licenses or exemptions are in place for exports abroad. Your company’s procedures should not be limited to data, drawings, or physical products, but should also include, as noted, the screening, access, monitoring, and management of foreign nationals who work at the company.

Depending on the frequency with which your company deals with controlled exports, having detailed instructions in the way of procedures and forms can be a very useful protocol to help reduce confusion within the company about how controlled items are handled and by whom, including proactively identifying, managing. and minimizing errors in processing such items for export. Management should review their business lines and determine whether a greater degree of detail would benefit or burden the company.

3. Routinely Review Your Compliance Program

As demonstrated by the Bright Lights case, changes to the U.S. Munitions List and related controlled item regimes change from time to time so it is important to periodically review and update your compliant roster to ensure that your program has the most up to date information. In Bright Lights USA, the company appeared to have been confused about whether the spare parts it was procuring from foreign manufacturers were controlled since many similar parts from that category of items had been removed from the U.S. Munitions List in 2013 as part of reform efforts to the export rules—a fact which Bright Lights would have discovered, and a costly mistake it could have avoided, had it maintained a current list of controlled items still governed under ITAR. Depending on the complexity and breadth of your operations, you may also want to dedicate an individual to monitor the regulatory landscape for proposed and actual changes and recent enforcement trends in order to stay abreast of the latest developments. After all, any compliance program is only as good as the information it relies upon.

Additionally, while any review should assess any legal changes that may impact your current processes, it is equally important that any organizational or structural changes to your company (such as acquisitions, corporate restructurings, and the like) also be assessed to determine what, if any, impact such changes may have on the company’s export compliance protocols and procedures. For example, the acquisition of a foreign entity as an operating subsidiary and affiliate may require a review of whether existing firewalls in place at the company’s U.S. operations are sufficient to preclude the unauthorized export of any controlled items to the subsidiary or whether licenses will be needed to allow necessary coordination and communications between the entities. Again, your review of your compliance program should involve the input from all affected stakeholders in order to address any gaps or oversights that may exist within your current system.

4. Document, Document, Document

An obvious but surprisingly often overlooked corollary to an effective compliance system is making sure that it is put to work. After all, if your employees do not understand the issues and document their actions, such as maintaining updated control rosters, firewalls for foreign employees, and licenses or exemptions from regulators, the best system on paper will not prevent an export violation or be persuasive in your dealings with the government to resolve a violation in the manner that is most favorable to the company. Having an robust paper trail that demonstrates your company’s best efforts in interpreting and complying with export requirements based on your compliance procedures will go a long way in demonstrating to the government that you have a mature system not only on paper but in practice and that your actions are reasonable, or at least defensible, all of which can be useful mitigating factors when dealing with a violation alleged by the government.

In the same vein, if you are a prime contractor that incorporates components procured from subcontractors you should review their representations and certifications to ensure that the parts they supply comply with all export requirements. You may even want to negotiate an indemnity provision in your subcontracts to cover potential export violations. As a prime contractor, you bear responsibility for the conduct of your subcontractors so it is important not only to factor these considerations into your subcontracts, but to make sure that the proper contractual flow-down provisions are incorporated in your subcontracts so that you have the appropriate level of visibility into subcontractor operations and have the mechanisms to enforce compliance should that become necessary.

5. Don’t Forget Your People

Finally, a compliance system is only as good as the people who implement it. Accordingly, in addition to periodically updating your compliance program, you should train, and provide refreshers to, the relevant people in your organization on the company’s compliance program, including any developments, trends, and best practices in implementing the system. Moreover, you should encourage employees to be proactive in identifying and reporting any potential issues before they become a problem. And, as with other aspects of your program, you should document and maintain all training records. Also, as with updates to your compliance program, there is no firm rule as to how often you should conduct employee trainings. Program updates, revisions, and employee trainings should be conducted as often as is appropriate to fit the needs of your organization’s particular business line, organizational structure, and risk tolerance, and should be made in consultation with key stakeholders from across your organization, including, potentially, outside counsel and consultants.