Compliance is a constant challenge. Once you have invested the time and money to develop or update an Export Compliance Program (ECP)—complete with commodity classifications, comprehensive policies, effective procedures, and tailored training—you must persistently guard your system against the potential damage of change, however it occurs. In our Part I blog, we covered various external changes and how a proactive manager would cope with them. Now we will talk about various internal changes and what should be done in those instances.
To understand these risks, let’s first be clear on the differences. Internal transitions are events or decisions inside, or driven by your company, whereas external transitions are events beyond your walls over which you have no control that impact your compliance system. Examples of the latter include changing regulations, emerging technologies, and turbulent political and global events like the recent developments in Hong Kong and the COVID-19 pandemic. The internal stuff, closer to home, seems more normal, perhaps mundane, but one must be cognizant and vigilant in this arena as well.
Focusing on internal transitions, let’s look at various events inside your company that would force you to expand or adapt your compliance system:
- Losing a key employee is always a headache, but if that person has export control responsibilities, the problem is more specific. All such experts, particularly the Export Compliance Officer (ECO) and the Empowered Official (EO), should have trained back-ups so there is no single point of failure. At the very least, there should be a detailed job description to help recruit and guide the successors. As you might for other key positions and processes, try to anticipate various scenarios and future-proof your compliance staffing.
- Development of new markets may involve a compliance learning curve. Items that can be shipped NLR (No License Required) to some countries will require a license to others or have a presumption of denial to a small number. Think of this as a spectrum of concern with Canada, UK and other nations on the “friendly” end and Iran, North Korea, Syria on the opposite extreme. In between, all the nations of the world are arrayed according to the level of concern they present to the U.S. government. Remember that U.S. export control regulations are not solely about preventing the spread of WMD and weapons in general. They are also deployed to promote other policy objectives like human rights and regional stability.
- Development of new products adds unknown factors into the system, particularly if the new items involve controlled technology. As such, all new products should be classified immediately before any marketing efforts, deal negotiations, or order processing, so that the regulatory jurisdiction is clear (ITAR vs EAR) as well as the licensing requirements. If the new product involves licensable technologies, that introduces numerous additional complications as we’ll explore next.
- Adding licensable technologies to a company’s physical or virtual environment is an important event, particularly if there were no such technologies previously and the company hasn’t already deployed information safeguards. There are several reasons why this is important:
- Hiring of non-U.S. persons may require compliance authorizations (individual licenses) or firewalling their access to licensable information on the company intranet. If you consider sponsoring a non-U.S. person for several types of visas you must certify, under penalty of perjury, that there is no risk of technology transfer to this visa holder.
- Similarly, collaborations with 3rd party organizations will be complicated—right from the outset—if either company has licensable technologies. This will either require firewalls to prevent inadvertent or surreptitious transfer, or the proper types of licenses/authorizations to allow the work to continue.
- Hiring subcontractors, such as the experts who provide your IT services, cleaning crews, or physical security, will require an additional level of advance and ongoing diligence. Foreign IT consultants are obvious risks since they have access to all the non-firewalled information, sensitive and otherwise, on your intranet. Other subcontractors are less obvious concerns, but security guards and cleaning crews will see documents on desks, information on whiteboards, and perhaps dissembled equipment on shop floors—all of which could be valuable to knowledgeable observers. If this sounds like spy stuff, it is. Industrial espionage is real.
- Merger and acquisition strategies may be affected by export control concerns for both the buyer and the seller. First, there is the concept of successor liability. The purchaser buys the export control performance of the acquired company along with everything else, which may include previously unknown and highly problematic compliance violations. If a transaction involves foreign investors, it is likely that it will undergo something called CFIUS (Committee on Foreign Investment in the United States) review, seeking to prevent the transfer of sensitive technology via investment methods. This is not trivial. Potential buyers or sellers should be aware of this common and complex occurrence.
Whether caused by external or internal events, the critical objective is to avoid sudden or gradual efficiency erosion of your compliance capability. Most of these events will occur sooner or later to all companies, so it behooves the proactive Export Compliance Officer to build flexibility and resilience into the compliance system. Among the recommended steps:
- Ensure that all existing and proposed products are classified. If technologies are involved, and they are licensable, then the ECP should have a Technology Control Plan as a subset, dealing very specifically with the risks of technology transfers.
- Ensure that all policies and procedures are in writing, assembled in an ECP Manual, updated as needed, and made available to the staff via the company intranet.
- Ensure that the compliance system is assessed/audited regularly, ideally by an experienced 3rd party who is knowledgeable and objective.
- Ensure that everyone with compliance responsibilities has a back-up, trained in all aspects of the task. Furthermore, a description of those compliance duties should be included in their job description so that continuity is maintained if they are ill or depart.
- Ensure that the Executive team have a working knowledge of export control, enough to recognize those strategic junctures where compliance considerations are critical. As described above, these would include the development of new products and markets, collaborations, subcontracting, and M&A activity.
- Ensure that one or more experts are monitoring political events and regulatory developments regarding export controls, looking for events that might impact your company. Fortunately, there are numerous newsletters, conferences, and training events to make this task easier.
Beyond maintaining the safety of the status quo, the next step up is to develop a culture of compliance within which your staff and appointed experts take pride in the quality and effectiveness of their work. This is not easily achieved but it is the gold standard and well worth striving toward.
In our Part I blog, we covered various external changes and how a proactive manager would cope with them