Compliance Convergence: US Customs and Border Protection’s Importer Self-Assessment Program

Compliance convergence can have several variations. I have written about the convergence from export controls to anti-corruption controls. Last week I wrote about the Lacey Act, which regulates imports of certain types of wood, among other items. One of the valuable lessons of compliance convergence can be the cross-over of lessons learned from one area of compliance to another. I was reminded of this when reading an article in the September issue of the ACC Docket, entitled “Import Loopholes Avoiding the Customs Audit” by Tiffany Jones. Her article discusses the “Importer-Self Assessment” (ISA) program initiated by the US Customs and Border Protection (CPB). The ISA has a requirement for a company to perform a “self-assessment” which means auditing, reporting results and correcting mistakes and implementing process improvements. This ISA relates to imports but it can be very useful for the Foreign Corrupt Practices Act (FCPA) compliance practitioner.

The CPB looks at five criteria to evaluate whether a company is ISA-ready. These will be familiar to the compliance professional. The terminology is a bit different but the concepts are recognizable. These five criteria lay out a good way for a FCPA compliance practitioner to think through an assessment of a company’s FCPA, Bribery Act or other anti-corruption and anti-bribery program.

I.                   Control Environment

Under this criteria, a candidate must demonstrate its commitment to compliance at the highest levels of the organization. Can you say ‘Tone at the Top’? But more than simply the right words, a company must demonstrate this criteria by actually doing. Therefore, this will include written policies, training for key import personnel and company-wide cross training.

II.                Risk Assessment

At least annually, a company should perform a risk assessment to determine which areas of import compliance are the most subject to error or non-compliance. In addition to assessing traditional high risk areas, a company should consider risk which may “flow from changes in personnel or changes in internal controls.” Additionally both transactions and internal controls should be reviewed.

III.             Control Activity

This criteria is defined as the creation of procedures to ensure that the senior management directives as specified in Criteria I – Control Environment are carried out. While Criteria I speaks to overall policies, Criteria III focuses on the procedures to implement the policies.

IV.              Information and Communication

This criteria has two components. First, company personnel are charged with keeping themselves informed of changes to trade regulations and how any changes might effect a company’s operations. Second, this information must be communicated and disseminated throughout the company to all “departments touching on the trade function.” The author quotes from the ISA Handbook, “Pertinent information related to CPB activities is identified, captured and distributed to the right people in sufficient detail, in the right form and at the appropriate time to enable them to carry out their duties…”  I could not have said it better myself.

There are many aspects to compliance convergence. Many practitioners view it as requiring many different types of compliance. This is certainly a valid view. However it can also be used as an opportunity to bring in compliance expertise that may already exist in your company to assist in an anti-corruption compliance program. This Border and Customs Protection format for self-assessment is a guideline that the FCPA practitioner can use as a basis self-assess a company’s compliance program. If you are implementing an anti-corruption program or looking at an anti-bribery program required under the UK Bribery Act there may be resources which you can tap into which exist within your company.

————————————————————————————————–

They’re Back!!!!!! Howard Sklar and I discuss all things FCPA and compliance (well mostly all things) on the return of This Week in FCPA, Episode 16. See and hear Howard go on several rants as we discuss Haiti Teleco, denial of the ICE Mandamus Petition, Oracle’s announcement of a FCPA investigation and the post-trial filings in the Lindsey Mfg. case.

On Thursday, Sept. 15, my colleague Mary Jones and I will discuss how a Best Practices  compliance program can assist you in a FCPA compliance investigation, in a webinar hosted by World-Check and Ethisphere. Mary will discuss her experiences at Global Industries in a multi-year, world-wide FCPA investigation and how Global Industries came out with a Non-Prosecution Agreement. For registration and information, click here.

————————————————————————————————–

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Compliance Convergence: Export Control

Previously we have written about Compliance Convergence, which noted Compliance Expert Howard Sklar, the author of Open Air Blog, has termed as “the merging of control programs such as anti-bribery and anti-corruption, with anti-money laundering, and export control.”, in regard  to the Foreign Corrupt Practices Act (FCPA) and touched on briefly with regards to anti-money laundering laws and regulations. Today we will turn our attention to Howard’s third prong in Compliance Convergence, that of Export Control.

Generally speaking, a Company must comply with all applicable export control laws in the country of origin of the products including, in some instances, the components contained within the products and technologies they are exporting; and all applicable international sanctions that may not be directly addressed in national law (e.g., United Nations sanctions programs). Witness the recent sanctions entered into by the US, UN and EU regarding trade with Libya.

What are some of the lists that a company must check for each overseas transaction? They include the US Department of State’s International Traffic in Arms Regulations (ITAR), which control the export and re-export of military products and technologies. The ITAR site contains a list compiled by the State Department of parties who are barred by §127.7 of ITAR (22 CFR §127.7) from participating directly or indirectly in the export of defense articles, including technical data or in the furnishing of defense services for which a license or approval is required by ITAR.

The Bureau of Industry and Security (BIS) has two lists which a Company must review. These include 1) the Denied Persons List, which provides a list of individuals and entities that have been denied export privileges. Any dealings with a party on this list that would violate the terms of its denial order are prohibited; and 2) the Unverified List which provides a list of parties where BIS has been unable to verify the end use in prior transactions. The presence of a party on this list in a transaction is a “red flag” that should be resolved before proceeding.

The US Treasury Department, Office of Foreign Assets Control (OFAC) has regulations which may prohibit a transaction if a party one of these lists. These lists can include both the Specially Designated Nationals (SDN) list and the General Order 3 to Part 736 (page 9) which sets out the general order which imposes a license requirement for exports and re-exports of all items subject to the Export Administration Regulations (EAR) where the transaction involves a party named in the order.

Therefore, a company must ensure that the US government permits it to export (1) its goods; (2) to the buyer; (3) in a particular company. But more is required that simply checking the status of to whom a company might be selling directly to, even if such buyer is located in the US. Writing in the In-House Texas supplement to the March 7, 2011 edition of the Texas Laywer, Jackson Walker attorney Robert Soza, Jr. in an article entitled, “Establish an Effective Export-Compliance Program’ noted that “multiple US export-control requirements come into play if a company’s actions indicate that it knows that its goods will be exported abroad such as delivering a product to a US port.”

Soza goes on to write that the creation and implementation of an export control policy and program “minimizes the risk of non-compliance and may reduce penalties in the result of a violation.” He sets forth his guidelines of what an effective export control compliance program should include.

1.     Top and Middle Management Committee. The tone from management must support the company’s overall export control efforts.

2.     Continuous Risk Assessment. If a company does not currently have a compliance program, it should initiate an evaluation to determine if it has violated any US export controls laws or regulations in prior transactions.

3.     A written policy back up by a procedures manual. The policy should be spelled out in writing with the detailed procedures filled in on how to conduct an effective export control system.

4.     Ongoing training of employees. Training should be provided for all employees with international sales responsibilities, marketing, export and those involved with the hiring of foreign nationals. The training can be live or web-based. The training should be designed to provide employees with the keys which trigger day-to-day regulatory implications.

5.     Ongoing screening of employees, contractors, customers, products and transactions. There must mechanism through software or other methods for the continuous monitoring of these items and individuals. Simply checking any of the above once only provides a snapshot at the time the review was made. In this current compliance and enforcement environment such checks must be made on each transaction and more continually for employees, contractors, customers and products.

6.     Record Keeping (Document, Document, Document). If you do not keep records and document something you cannot measure it and if you cannot measure it you cannot improve. However, when dealing with the government, if you do not document it, you cannot prove it.

7.     Period Audits. After you have put your export control policy in place, your company should engage in an effective continuous export controls assessment and regular spot audits will help to ensure compliance.

8.     An internal program for the reporting of violations and appropriate mechanism for escalation of any export violations. In addition to some type of hotline for the reporting of any export control violations, your company should have a dedicated export control resource expert who can be available to answer question and generally provide assistance to those employees charged internally with export control.

9.     Appropriate corrective actions to hold employees accountable under a progressive disciplinary program and voluntary self-disclosure. A policy has no teeth if there are no repercussions to employees who violate the export control program. If there are violations, the government will expect to see discipline and training based on event.

(Any of this sounding familiar?)

Soza concluded his article by stating:
While it is often difficult to obtain senior management commitment to an export-compliance program [a company] simply cannot afford to sell their products and services internationally without such a program in place. Penalties for failure to comply with these requirements may result in the loss of export privileges, fines and imprisonment, not to mention damaging publicity.

We do not believe that we could have articulated it better. Compliance Convergence in these areas demonstrates that the ostrich days of a sticking your head in the sand regarding export controls are long gone. But just as convergence demonstrates the widening scope of compliance, we believe that it provides opportunities for cross-discipline compliance. Export control needs to talk to the FCPA compliance attorney and let them know the screening they perform on a regular basis. A company’s treasury or finance department needs to communicate its offshore payment policy regarding its prohibition of payment of any invoices in countries other than the home country of the payee or where the work was perform. There is an opportunity to learn from each of these disciplines so take advantage of the Compliance Convergence in your company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011