The Directorate of Defense Trade Control (DDTC) has released Export Compliance Program Guidelines to provide businesses with an overview of best practices for complying with the International Traffic in Arms Regulations (ITAR). These guidelines encourage organizations to adopt robust policies and procedures to ensure that compliance with export controls for items enumerated in the United States Munitions List (USML) is maintained.
Management Commitment
As with any effective business undertaking, top management must show commitment to export compliance by creating a culture of compliance. This culture can be created by management at all levels through words and actions that place a priority on avoiding export violations. These priorities should be regularly communicated to all employees, contractors, suppliers, and customers.
All employees should understand that export compliance is an expected responsibility. This should be communicated in an Export Compliance Manual that sets forth all policies and procedures. They should be encouraged to recommend methods for improving compliance and reducing risk. Additionally, all employees should be made aware of disciplinary actions for non-compliance.
Creating a Compliance Program
When creating an export compliance service it is important to tailor the program to identify and address the specific risks that could lead to violations. Policies and Procedures can then be created to address these risks. This should include a management commitment statement that underscores the organization’s commitment to export compliance.
These policies and procedures must receive adequate resources and be regularly reviewed by top management to assess their performance. Resources required for a program should include training, funding, adequate personnel, information security management, and organizational management. The adequacy of these resources should be continually reviewed throughout an organization’s evolution.
Responsibilities, authorities, and points of contact should be clearly defined and communicated within the organization. Export Compliance Officers (ECO) and Empowered Officials (EO) should overseeing and implementing functions of the compliance program and for investigating, identifying, and correcting causes for any ITAR violations.
Activities Associated with Export Compliance
Classification
Export Control Classification is required of businesses selling products that fall under the jurisdiction of any federal regulations. An export can include sale of goods within the United States to a person or entity that is not a U.S. person. A transfer of technical data can also be considered an export which can be conducted by means of a phone call or email.
Export Control Classification begins with the defining the technical specifications for the item to be transferred. This applies to actual shipments as well as transfers of technical data. It is important to note that a given product may fall under numerous classifications based on how regulations are interpreted.
It is essential to ensure that a thorough analysis be conducted to ensure that due diligence for compliance has been met. Therefore it is not prudent to rely on a customer’s or supplier’s classification as there are severe consequences for non-compliance.
Registration
The DDTC Export Compliance Program Guidelines outline the many activities that are part of a compliance program. These of course begin with registration with the the DDTC, which is a requirement for any manufacturer, exporter, or broker of defense products or services. The agency also details types of registration and requirements for registration changes.
Licensing, Agreements and Approvals
Other activities include applying for licenses, agreements, or other approvals from the DDTC for export, reexport, retransfers or temporary import of controlled goods and services. The activities include Manufacturing Licensing Agreements (MLA), Technical Assistance Agreements (TAA), and Distribution Agreements.
Restricted Party Screening.
Significant emphasis was given in the guidance to the performance of restricted party screening for all parties involved in a transaction. This activity is often overlooked or performed with insufficient care in many organizations. Restricted Party Screening should also be performed on all personnel and any other parties who may come in contact with controlled items or data thereof.
Cybersecurity
Although the ITAR does not include specific cybersecurity requirements, there are regulatory requirements to protect information and data of controlled items. CMMC is a requirement for organizations contracting with the Department of Defense (DoD) that handle Controlled Unclassified Information (CUI).
The guidance suggests the use of cybersecurity protocols and encryption to protect this sensitive data. It also recommends the establishment of policies and procedures for employees traveling with mobile devices.
Recordkeeping
It is a requirement of ITAR to maintain records pertaining to the manufacture, acquisition, and disposition of defense articles. These records must be maintained for a minimum of five years. They should include licenses, exemptions, technical data exports, brokering activities, and any political contributions, fees, and commissions. The DDTC again calls for documented policies and procedures that define what activities must be documented and allocate specific responsibilities for the creation and maintenance of those records.
Detecting, Reporting, and Disclosure of Violations
The DDTC understands that violations of export regulations often occur through error. However, because these violations can cause harm to the national security and foreign policy of the United States, it is important that organizations detect these violations, investigate the cause of the violation, take corrective actions to mitigate further violations, and report these violations through the Voluntary Disclosure mechanism.
Training
It is essential that organizations perform training programs that provide sufficient levels of education for all employees, especially those members of the organization’s export compliance team. This training should be up to date and utilize knowledgeable and experienced trainers. Furthermore the depth of the training should reflect the level of activity that person has in the compliance program.
Risk Assessments
It is important to continually reassess risks that may lead to ITAR violations. Considerations in the reassessments should include changes in the organization, the physical and cybersecurity infrastructure, the organizations, employees, customers, suppliers, and other third parties. These should occur as required throughout the year.
Audits and Compliance Monitoring
Independent and objective audits must be performed regularly to provide inputs in determination of the compliance programs effectiveness. These audits should include interviews with relevant personnel, review of documentation, site security, and IT security. Various types of audits should be included including functional level audits focusing on specific areas, program level audits, and external audits.
CVG Strategy Can Help
The DDTC’s Export Compliance Program Guidelines underscore the importance of viable export compliance programs for businesses engaged in sales of defense articles and defense services. These programs should be incorporated into an organization’s management system to ensure effective mitigation of risks associated with violations.
CVG Strategy can help you in understanding Export Administration Regulations and establishing a coherent and effective export compliance system. We can perform export control classifications, perform audits, and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.