Pop quiz: See if you can spot the trade-control violation in this fictional account. Mr. Enterprise woke up one morning with a vision that would give his U.S.-based company an edge in the fishing-supply business: a lightweight carbon-fiber rod with tensile strength that would blow his competitors away. In his office that day, he contacted a leading carbon-fiber supplier in the United States and obtained samples of the highest-end stuff, along with the carbon fiber's design and production details which would be helpful in developing state-of-the-art designs for his dream sport rod. Soon thereafter, he went on vacation in Spain and, while there, he spent an hour remotely accessing the design and production data he had received from the carbon-fiber supplier. From Spain, he flew to his company's manufacturing facility in Taiwan, to which he had shipped the carbon-fiber samples and emailed the carbon-fiber data. He discussed the carbon fiber's properties and fishing-rod design with the company's long-serving Singaporean-national designers, and then flew back to the U.S. with all of the samples in his briefcase.
Back home, he signed an immigration renewal application for the company's Norwegian IT director, and then asked her to review his email and install a filter that would alert him immediately to incoming emails related to rod sales. Once installed, the filter alerted him that his approval was needed for a shipment of fiberglass rods to a customer in Mexico named Pedro Bermudez Suaza. He approved the order, and it shipped the next day.
So, did you spot the violation? There were actually at least seven to choose from: accessing U.S. controlled carbon-fiber technology while in Spain; shipping controlled products to Taiwan; sending controlled carbon-fiber technology to Taiwan; giving Singaporean nationals access to controlled carbon-fiber technology; giving the Norwegian national access to controlled carbon-fiber technology (even within the United States); certifying compliance with export control laws on the I-84 immigration form; and conducting business (even for non-controlled products) with a purchaser subject to sanctions for involvement in narcotics trafficking. Depending on the number of samples shipped and the number of people who had access to data, in the real world this scenario could give rise to dozens of distinct violations for U.S. export control enforcement agents to pursue.
The Reach of Trade Controls
The breadth of U.S. trade controls comes as a surprise to many companies that still hold the mistaken view that export controls affect only advanced, sensitive, or weapons-related goods. Some recognize that a few hot-spots like Cuba and Iran are subject to broad embargoes, but many pay little or no attention to the sanctions unless they have direct dealings with those countries. Executives take such a passive approach at their peril, however. The labyrinth of export control and trade sanctions regulations can impact almost any enterprise, and the stakes are high: maximum civil penalties for violations have increased twenty-five fold in recent years, and even more severe penalties apply to criminal violations.
The regulations can even entangle companies that do no business abroad, as providing data or other technical information to a foreign employee or visitor in the United States is equivalent to making an export to that person's home country. In other words, a company can "export" technology as a legal matter without it ever leaving the country. Likewise, a company seeking a visa for a non-immigrant foreign worker must certify under penalty of perjury that it has reviewed the export control regulations and will obtain any necessary licenses prior to giving the employee access to sensitive technology or data.
Companies must also check whether any participants (customer, broker, bank, etc.) in an otherwise uncontrolled transaction appear on any of a variety of "denied party" lists maintained by U.S. government agencies. Moreover, companies must recognize that a transaction constitutes an export even if the product leaves the U.S. only temporarily (to display at a trade show, for example), even if it is a gift or some other kind of non-sales transaction, or even if it is destined for a U.S. person, company or subsidiary located overseas.
Key Federal Agencies
Even when a company realizes it has a trade-control issue to contend with, it can be hard to know how to address it within the government. Of the multiple federal offices that have a role in export controls, three have primary authority. The first is the Bureau of Industry and Security, within the Department of Commerce, which administers the Export Administration Regulations (EAR). These generally apply to so-called "dual-use" items-items that can be used in military or nonmilitary contexts but that were not specifically designed for the military.
Second, exports of "defense articles" and "defense services" are controlled by the Directorate of Defense Trade Controls (DDTC) in the Department of State. DDTC's controls generally apply to items designed for military use, although they also cover certain other sensitive items like commercial communications satellites. DDTC's reach extends to some purely domestic operations: brokers and manufacturers of defense articles must register annually with DDTC-even if they do not export products or services.
Finally, the Office of Foreign Assets Control (OFAC) in the Treasury Department controls transactions with people, entities and countries (like Iran and Cuba) that are the target of U.S. economic sanctions. Some of the sanctions programs that OFAC administers target specific countries (including their nationals, governmental entities and fronts), and others apply to non-governmental entities or individuals that engage in activities like terrorism, human rights abuses, weapons proliferation, or narcotics trafficking. Many U.S. businesses ensure compliance with OFAC's sanctions regulations by checking all pending transactions against the lists OFAC maintains of "denied" governments, entities, and individuals.
Getting Your House in Order
Some companies' executives are vaguely aware of trade controls but say that "the folks in our shipping department are on top of these rules" or "our freight forwarders handle these matters." The reality is that neither a shipping group nor a freight forwarder could have prevented or even noticed most of the violations that Mr. Enterprise committed in pursuit of the perfect rod.
That said, upper management does not have to master the details of trade control law. Instead, there are steps that any company's leadership can take to gauge potential exposure quickly and efficiently. While the best way of kicking the tires will vary from company to company, there are three key inquiries every company should pursue:
- Analyze product lines (including physical goods, data, software, and services) and assess whether they fall within any of the categories subject to control under the relevant lists maintained by U.S. government agencies.
- Assess customers and key partners (banks, freight forwarders, etc.) to determine whether any of them appears on "denied party" lists maintained by U.S. trade regulators. (Commercially available software can largely automate this step.)
- Determine whether the company gives foreign nationals (including employees, contractors, business partners or others) access to data or other controlled technology that could constitute a "deemed" export, even if the data or technology never leaves the United States.
For companies with overwhelmingly domestic operations and sales, running through these inquiries is likely the beginning and end of the trade-control compliance assessment. These companies should repeat the review periodically-perhaps every other year-to account for changes in customers, products and employees. By contrast, if these inquiries indicate that a company has trade-control exposure, or if a company frequently engages in international transactions, then the company should dig deeper. For instance:
- Study whether the company might have already engaged in transactions that were subject to trade controls, and analyze remedial actions if necessary.
- Develop trade-control compliance policies and appoint staff to take responsibility for monitoring and ensuring compliance.
- Institute periodic training for staff with exposure to exports or foreign contacts.
U.S. export control law imposes "strict liability" -- which means that a person or company is liable regardless of whether they intended the violation or even knew their conduct would violate the rules. Mr. Enterprise's foibles are a case in point. Even though he may have had no idea that his efforts could jeopardize anyone other than a largemouth bass, he actually exposed his company and himself to a range of potential sanctions. Depending on factors like the scope and duration of the violations, and Mr. Enterprise's willingness to cooperate with investigators, the sanctions could range from a warning letter, to a substantial fine, to a revocation of exporting privileges.
Because the liability is strict, the only foolproof way to avoid trade control liability altogether is to make sure your company does not violate the rules. Running through the inquiries listed above is a good way to assess quickly whether your company is on the right track. If your assessment leads you to conclude that the company may have already engaged in violations, a proactive approach can pay valuable dividends notwithstanding the strict liability regime. A company that self-reports apparent violations to the relevant U.S. trade agency before the agency learns of the violations independently will often face dramatically reduced penalties and sanctions.
Chad Breckinridge, a partner with the law firm of Wiltshire & Grannis LLP practices in the areas of cross-border trade and investment, litigation, and technology regulation. Among other specializations, he provides advice on assessing trade-control compliance and developing corporate compliance policies.