Export Compliance Program Requirements for EAR

The Bureau of Industry and Security (BIS) has specific Export Compliance Program (ECP) requirements for parties dealing in items controlled under the Export Administration Regulations (EAR).  The purpose of an ECP is to ensure that an organization’s export activities are performed in accordance with U.S. laws and regulations.

Export Administration Regulations

Export Administration Regulations place controls on the export of commodities including intellectual property, technology, and software.  These items which are enumerated in the Commerce Control List (CCL) are often referred to as “dual use” items in that they may have military as well as commercial applications.  These regulations should not be confused with International Traffic in Arms Regulations (ITAR) which deal with military and defense related technologies.

These export controls fall under the jurisdiction of the Department of Commerce and are administered by the BIS.  They are in place to protect the national security, foreign policy, and economic interests of the United States.  As such, violations of these regulations can result in severe civil and criminal prosecution.

Elements of an ECP

An organization’s export compliance program requirements will vary based on the specific exports involved, the size of the organization, the location of customers, and the volume of exports among other concerns.  The BIS has eight specific requirements for an ECP as critical for effective compliance.

Management Commitment Statement

It is important that commitment from senior management be documented and communicated to all personnel.  This commitment should be reviewed annually and should be signed off on by all employees.  Additionally this document should be communicated with contractors, consultants, freight forwarders, sales representatives, and interns.  This document normally should found at the opening pages of the ECP manual.  

Risk Assessments

Organizations are required to perform risk assessments to identify potential issues that could result in violation of export regulations.   When risks are identified, processes can be created to minimize those risks.  A major concern for any exporter is the unauthorized release of sensitive or controlled technologies.  This can occur through a number of weaknesses in an organization’s security.

The term export is not limited to the physical shipment of an item to a foreign person or nation state.  A “deemed export” can occur when regulated information is transferred without authorization.  There are a number of ways this type of transfer could occur including the presence of foreign nationals on site, unauthorized emails or phone calls, or transfer to an unauthorized customer.

To minimize these risks a strong compliance structure should be in place that provides adequate communication of goals and defines roles and responsibilities.  Such a program will institute the necessary procedures to ensure that: items and services are properly classified, all parties both internal and external have been properly screened, and that proper training of team members has been conducted.

Export Authorization

Organizations must engage in specific activities to ensure that exports are conducted lawfully.  The first activity should be a classification of the item or service in question. 

During this process confirmation can be made as to which agency, if any, has jurisdiction over a planned export.  For items falling under the EAR, a specific Export Control Classification Number (ECCN) must be determined.  Often this will require assessment of technical specification that may require input from design personnel. 

Another outcome of a thorough classification is determination of licensing requirements.  These requirements are specified in the EAR Country Chart, however further analysis should always be conducted to ascertain if license exemptions are applicable.

Screening

It is a critical requirement that thorough screening be conducted of all parties involved in an export transaction.  There are over fifty lists of sanctioned parties maintained by the various agencies of the federal government.  As can be expected, these lists undergo constant revisions.  It is therefore usually recommended that a commercially supplied database be accessed that can dynamically screen current and potential customers against current data.

Recordkeeping

The BIS has specific requirement for recordkeeping of export related documentation.  This recordkeeping  should be systematized to ensure consistent performance of document creation and maintenance.  At a minimum, all export activities should be maintained and secured for five years.  As this information is considered sensitive, proper information security protocols are required.  

Training

Adequate training must be provided to ensure that all personnel are capable of performing their specific export compliance responsibilities.  This training must be verified through assessments and each employee must understand that they are responsible and accountable for regulatory compliance.  This training should be structured for specific levels of involvement.  At a minimum, two levels should be created, one for all employees and one for members of the export compliance team.

Audits

Audits should be regularly conducted of the export compliance program to check for inconsistencies in performance and identify potential areas of risk.  These audits may be conducted internally though the BIS does advise that periodic external audits be conducted to provide unbiased validation of the compliance program and its practices.

Handling Export Violations 

It can never be assumed that an organization will not at some point be in non-compliance with export regulations.  It is therefore critical that violations be identified immediately and that documented processes be in place to address violations and take corrective actions.  This should include mechanisms whereby employees report suspected violations and inconsistencies within the program.

Additionally, when violations have been found to occur, procedures should be present that detail submission of a Voluntary Self-Disclosure.  For businesses whose product fall under the jurisdiction of the EAR these disclosures should be submitted to the Director of BIS’s Office of Export Enforcement (OEE).