Bureau of Industry and Security Requirements for Compliance Programs
The Bureau of Industry and Security (BIS) has specific Export Compliance Program (ECP) requirements for parties dealing in items controlled under the Export Administration Regulations (EAR). The purpose of an ECP is to ensure that an organization’s export activities are performed in accordance with U.S. laws and regulations.
Export Administration Regulations
Export Administration Regulations place controls on the export of commodities including intellectual property, technology, and software. These items which are enumerated in the Commerce Control List (CCL) are often referred to as “dual use” items in that they may have military as well as commercial applications. These regulations should not be confused with International Traffic in Arms Regulations (ITAR) which deal with military and defense related technologies.
These export controls fall under the jurisdiction of the Department of Commerce and are administered by the BIS. They are in place to protect the national security, foreign policy, and economic interests of the United States. As such, violations of these regulations can result in severe civil and criminal prosecution.
Elements of an ECP
An organization’s export compliance program requirements will vary based on the specific exports involved, the size of the organization, the location of customers, and the volume of exports among other concerns. The BIS has eight specific requirements for an ECP as critical for effective compliance.
Management Commitment Statement
It is important that commitment from senior management be documented and communicated to all personnel. This commitment should be reviewed annually and should be signed off on by all employees. Additionally this document should be communicated with contractors, consultants, freight forwarders, sales representatives, and interns. This document normally should found at the opening pages of the ECP manual.
Organizations are required to perform risk assessments to identify potential issues that could result in violation of export regulations. When risks are identified, processes can be created to minimize those risks. A major concern for any exporter is the unauthorized release of sensitive or controlled technologies. This can occur through a number of weaknesses in an organization’s security.
The term export is not limited to the physical shipment of an item to a foreign person or nation state. A “deemed export” can occur when regulated information is transferred without authorization. There are a number of ways this type of transfer could occur including the presence of foreign nationals on site, unauthorized emails or phone calls, or transfer to an unauthorized customer.
To minimize these risks a strong compliance structure should be in place that provides adequate communication of goals and defines roles and responsibilities. Such a program will institute the necessary procedures to ensure that: items and services are properly classified, all parties both internal and external have been properly screened, and that proper training of team members has been conducted.
Organizations must engage in specific activities to ensure that exports are conducted lawfully. The first activity should be a classification of the item or service in question.
During this process confirmation can be made as to which agency, if any, has jurisdiction over a planned export. For items falling under the EAR, a specific Export Control Classification Number (ECCN) must be determined. Often this will require assessment of technical specification that may require input from design personnel.
Another outcome of a thorough classification is determination of licensing requirements. These requirements are specified in the EAR Country Chart, however further analysis should always be conducted to ascertain if license exemptions are applicable.
It is a critical requirement that thorough screening be conducted of all parties involved in an export transaction. There are over fifty lists of sanctioned parties maintained by the various agencies of the federal government. As can be expected, these lists undergo constant revisions. It is therefore usually recommended that a commercially supplied database be accessed that can dynamically screen current and potential customers against current data.
The BIS has specific requirement for recordkeeping of export related documentation. This recordkeeping should be systematized to ensure consistent performance of document creation and maintenance. At a minimum, all export activities should be maintained and secured for five years. As this information is considered sensitive, proper information security protocols are required.
Adequate training must be provided to ensure that all personnel are capable of performing their specific export compliance responsibilities. This training must be verified through assessments and each employee must understand that they are responsible and accountable for regulatory compliance. This training should be structured for specific levels of involvement. At a minimum, two levels should be created, one for all employees and one for members of the export compliance team.
Audits should be regularly conducted of the export compliance program to check for inconsistencies in performance and identify potential areas of risk. These audits may be conducted internally though the BIS does advise that periodic external audits be conducted to provide unbiased validation of the compliance program and its practices.
Handling Export Violations
It can never be assumed that an organization will not at some point be in non-compliance with export regulations. It is therefore critical that violations be identified immediately and that documented processes be in place to address violations and take corrective actions. This should include mechanisms whereby employees report suspected violations and inconsistencies within the program.
Additionally, when violations have been found to occur, procedures should be present that detail submission of a Voluntary Self-Disclosure. For businesses whose product fall under the jurisdiction of the EAR these disclosures should be submitted to the Director of BIS’s Office of Export Enforcement (OEE).
Implementing an Export Compliance Program
As can be seen, there are numerous Export Compliance Program requirements for businesses that conduct export of goods and services controlled under the EAR. This can pose challenges for smaller organizations that are evolving into the export arena. When the BIS conducts investigations into export activities, the presence of a viable compliance program weighs heavily on their applications of fines and penalties.
CVG Strategy export compliance experts have decades of experience in developing tailored export compliance programs for organizations of all levels. We can provide the necessary coaching and training to get your program operational. We also can provide support with classifications, licensing, and external auditing.
How Can We Help?
CVG Strategy provides expertise to businesses in Quality Management, Product Test and Evaluation, Cybersecurity, and Export Compliance. Learn how we can develop your business’s potential by reaching out to our team members.