A web of detailed rules and regulations has long made compliance with U.S. export laws tricky business for companies. Now, increased enforcement activity and a recent legislative change have dramatically raised the stakes for getting it wrong, experts tell Compliance Week.
Part of the challenge companies face in complying with U.S. export controls is that there’s more than one rulebook. “In the U.S., there are a slew of different regulations that govern different types of exports,” says David Lorello, an attorney in the London office of Steptoe & Johnson.
For example, companies might have to contend with the International Traffic in Arms Regulations, administered by the Department of State; the Export Administration Regulations, administered by the Department of Commerce; and the economic and trade sanctions programs, administered by the Treasury Department’s Office of Foreign Assets Control, to name a few.
“The risk of violations are high, and the more international activity a company participates in, the greater the likelihood something will fall through the cracks,” says Giovanna Cinelli, chair of the export control practice group at Patton Boggs.
Further complicating matters is the broad application of the regulations. An export is any item sent from the United States to a foreign destination, regardless of how it’s transferred. That can include commodities, software, or technology. For instance, blue prints, design plans, retail software packages, and technical information can all be considered exports, whether they’re sent by regular mail, hand-carried on an airplane, faxed, downloaded from a Website, or transmitted by e-mail or phone.
“A lot of companies don’t realize how broad the export control laws and regulations are and assume it doesn’t apply to them,” says Joan Koenig, an attorney at Drinker Biddle.
For example, Koenig notes that encryption, common to most software programs, is “so commonplace that people don’t think about it, but the government has huge concerns about encryption from a terrorism standpoint.”
Lorello of Steptoe & Johnson agrees. “The most common inadvertent violations occur when a company doesn’t think it’s exporting anything sensitive because they’re not making bombs and doesn’t realize that the products are controlled,” he says. “They can go years exporting products that fall within these regulations without knowing it.”
An export may not even have to leave the country to require a license. Under the “deemed export” rule, if a company plans to transfer information or technology that is controlled to a foreign national in United States, an export license is required.
Inadvertent violations often occur because U.S. companies hire engineers from other countries and don’t get the required export license to share controlled information or technology, says Matthew Goldstein, an attorney with Miller & Chevalier.
Experts note that the consequences for running afoul of the regulations may be even more daunting than the regulations themselves.
“Until they know how an item is classified, companies can’t know what level of internal controls they have to have to properly manage their risk.”
— Joan Koenig,
First, there are the fines. “The chances of getting caught are higher than in the past, and the chance of extreme penalties are higher than they’ve ever been,” says Koenig, who adds that the Justice Department is focusing on enforcement in this area.
Observers cite a March 2007 settlement with ITT Corp., a manufacturer of military night-vision equipment for the U.S. Armed Forces, which was slapped with a $100 million penalty—one the largest ever in a criminal export control case—related to the illegal export of restricted night vision data.
Legislation enacted last October increased the maximum civil penalties under the International Emergency Economic Powers Act from $50,000 to $250,000 per violation, or twice the amount of the transaction, whichever is greater. The maximum criminal penalty jumped from $50,000 to $1 million per violation and 20 years in prison.
Penalties under ITAR are even higher. Civil violations carry a maximum $500,000 penalty per violation, while criminal violations have a $1 million maximum per violation and up to 30 years in prison.
Worse yet, in addition to monetary penalties, companies could lose government contracts, have their export licenses revoked, or lose their export privileges for long periods. In extreme cases, violations could put a company out of business.
“If a company has a high volume of export business, being subject to a denial order—even without the draconian civil and criminal penalties—can shut down their business,” says David Dunbar, a partner with Katten Muchin Rosenman.
Experts say the task of determining which regulations apply to their products is itself a huge challenge for most companies.
“The biggest problem area is deciding which export regime applies,” says Cinelli of Patton Boggs. “So much of what was used only by the military has begun to move into the commercial world, the lines have been blurred about what’s a dual-use or a defense article.”
Koenig agrees. “Until they know how an item is classified, companies can’t know what level of internal controls they have to have to properly manage their risk,” she notes.
Goldstein of Miller & Chevalier says that, generally, companies should assume they need a license until they’ve done the analysis that shows them that they don’t.
Even after classifying their items and determining whether they’re controlled and whether they require an export license, companies must ensure that they’re not sending it to a person or place that’s prohibited.
“As a U.S. company doing business internationally,” says Goldstein, “you need to know who you’re doing business with.”
Prohibited party screening is a “highly complicated area, and there’s nothing intuitive about it,” notes Dunbar.
“Between the Treasury, Commerce and State Departments, there’s a whole host of lists of persons, entities, and countries companies can’t enter into certain transactions with,” says Goldstein. Indeed, there are seven separate lists to check on the Bureau of Industry and Security Website alone.
That’s made more complicated by the increasingly global nature of many businesses, notes Koenig. Co-development work with foreign subsidiaries can pose a huge risk, since the re-export of controlled items of U.S. origin or with a U.S. connection without the proper licenses can violate export controls.
Export control violations can, in some cases, trigger disclosures under Sarbanes-Oxley. “It’s possible an export control violation could rise to level of materiality for purposes of SOX,” particularly for companies that are heavily exposed to export controls risk, such as those in the defense industry and in the high-tech telecommunications manufacturing sector, says Lorello.
Further, because successor liability applies, they can have major implications in mergers and acquisitions. “If you’re the acquiring company and you fail to detect a violation, you’re on the hook,” says Goldstein.
Export control compliance issues can also delay or affect the valuation of transactions and could be a potential deal killer in extreme cases, says Cinelli.
Experts say the best defense is a strong, written compliance program and training. While the export regulations themselves don’t have a legal requirement for an internal compliance program, Goldstein says, “The rules are too complicated not to have one.”
Moreover, he notes, “Whenever a client reports a visit from the agencies that enforce these laws, they say the first document they always ask for is a copy of the company’s compliance program.”
Goldstein says many companies either don’t have a comprehensive or valid program that covers all of their export control compliance risks, or “they have some things in writing, but they don’t follow them.”
Having a policy gathering dust may be worse than not having one. “It might be enough to elevate violations from civil to criminal,” he says.
At a minimum, Goldstein says companies ought to review guidance provided on the State and Commerce Department Websites regarding effective compliance programs.