FCPA Compliance and Ethics Blog

December 23, 2011

Coalition for Excellence in Compliance Releases Restricted Party Screening and Other Export Compliance Best Practices

Ed. Note-I often talk about compliance convergence. Today we host a guest post from our colleague and fellow UT Longhorn, Doug Jacobson. This article originally appeared in Doug’s blog, International Trade Law News. In his blog Doug discusses news, analysis and information on export control, sanctions, customs law, FCPA, anti-dumping and other international trade issues. We reprint his article, with his permission, in its entirety.
The Coalition for Excellence in Export Compliance (CEEC) (pronounced “seek”), a voluntary group of experienced export compliance professionals from leading companies, law firms, research organizations and consulting firms, recently released a series of detailed and practical standards containing best practices on a wide range of important topics for export and sanctions compliance programs.

CEEC’s mission is to provide a uniform set of best practices that companies and trade compliance professionals could use to provide clarity over the existing patchwork of official and unofficial guidance regarding export and sanctions compliance requirements and programs. The best practices are not tied to any particular country’s laws or requirements and are intended to be applicable worldwide.
To date, CEEC has issued best practices covering a wide range of topics, including: screening, training, classification, personnel, management commitment, license determinations and use, and intangible exports. Additional compliance-related best practices topics will be issued by CEEC in the near future.
CEEC’s best practices on Restricted Party Screening  contains valuable guidance on restricted party screening programs and ways to implement screening programs. For example, CEEC’s restricted party screening best practices provides recommendations on the types of parties to be screened, how and when screening should be conducted, the structure of restricted party screening programs, the lists to check and how matches and potential matches to restricted party lists should be handled.
With respect to the types of parties to be screened, CEEC’s screening best practices note that both domestic and international transactions should be screened, since certain restrictions may apply to domestic transactions, domestic transactions may be part of an international transaction, and reputational concerns may exist. The screening best practices provide a detailed list of the types of parties that should be screened (to the extent applicable), including customers, suppliers, freight forwarders, banks, agents, ship to parties, etc.
CEEC’s screening best practices indicate that a “software tool should be used for screening” and that it should “employ a “fuzzy logic” algorithm to identify close as well as identical matches.” Of course, because restricted party list changes are often effective immediately, the “the automated screening tool must promptly update all applicable watch lists as these lists are changed and updated by issuing authorities.”
As for the structure of a restricted party screening program, CEEC’s screening best practices recommend that the screening process should be documented, and it could be “advantageous to centralize the screening program” in order to “minimize duplicative work and promote uniformity.”
Regarding the lists to check, CEEC advises that a “risk analysis should be done to determine which lists (by country, type, etc.) are needed for the organization to use for screening.” For example, it “may be appropriate to use different lists for different businesses, different categories of transactions, or different geographic locations.”
CEEC’s screening best practices provides specific information and guidance on the frequency of screening and at what point in the screening process screening should be done. For example, the best practices recommend that new business partners should be screened prior to the first transaction or other business dealing and that organizations “should consider implementing procedures to screen at the time the business partner is entered into the organization’s database, when background or credit checks are run, when quotes or proposals are requested, or at some other time, as appropriate.” The best practices indicate that “the intervals in between database screenings should be measured and limited in order to mitigate the risk of doing business with a restricted/prohibited/denied party.”
Finally, with respect to screening matches and potential matches, CEEC’s best practices state that an organizations’ restricted party screening process “must allow for a transaction to be halted unless and until any screening matches are cleared. To minimize business disruption, potential matches should be cleared as promptly as possible and the determination “should be documented.” When an actual match to a restricted party list occurs, the CEEC best practices advise that “depending upon the nature of the list, the legal applicability in the jurisdiction, and an evaluation of reputational concerns, the process must allow for determination by an authorized person whether the transaction may proceed . . . and this decision should be documented.”
CEEC members encourage comments and suggestions for improving the best practices and CEEC’s website contains a contact page for the submission of comments on their efforts to date.
We wish a Happy Holidays to all and in spite of what Rick Perry may say, you can say Merry Christmas out loud.

December 9, 2011

Compliance Convergence: Deemed Exports

I write regularly about compliance convergence. One of the areas which converge with anti-corruption compliance is export control. Within the area of export control, a sub-area which is little discussed and less understood, is the area of deemed exports. I recently saw an article on this issue in the Oct/Nov issue of the SCCE Magazine, entitled “Understanding the compliance risk of deemed exports” by Anthony Hardenburgh. The author, Vice President of Global Trade Content for Amber Road (formerly Management Dynamics Inc,) laid out the regulations governing this issue and then delineates some controls to manage this export control risk of deemed exports.

What is a Deemed Export?

As a general rule, a deemed export occurs when US technology, which otherwise requires a license for export, is made available to a foreign national by verbal communication, visual inspection or practical use within or outside the United States. The deemed export rule is of great importance to both universities and in the business world. There are numerous ways in which a deemed export can occur. It can come through discussions by professional colleagues in academia, presenting a paper with licensed technology at a conference or by a plant tour of your company.

The consequences of a violation of the deemed export rule can be severe. An administrative penalty can be the greater of $250,000 or twice the value of the transaction involved for each administrative violation. Such a violation can also include the denial of export rights, which for a company with an international business can be devastating. There can also be a criminal penalty attached for serious violations, with a fine levied of up to $1MM and/or up to 20 years in prison. Indeed a University of Tennessee professor was criminally convicted and sentenced to 48 months in prison for “allowing foreign students access to export-controlled research”, in spite of warnings by the university compliance officer that such conduct was not allowed under the deemed export rule.

Risk Management

What steps can you, as a compliance officer, take to manage this risk? Hardenburgh notes that many compliance officers will not know or even understand everything happening in every university lab or company test facility. The management of this risk begins with preventative steps which Hardenburgh lists as follows:

  • Written Export Control Policy, including Deemed Exports.
  • Ongoing training on this Policy.
  • Continuing communications to employees.
  • Risk evaluation to determine if export licenses are required. If licenses are required make certain that such technology is not made available until the licenses are obtained.
  • Monitoring the entire process to detect any deviations from the Compliance Program.
  • Safeguard licensed technologies from viewing or release to foreign nationals.
  • Document all steps taken.

Compliance Convergence

The steps that Hardenburgh has suggested will not sound new or radical to the compliance professional. Determining if a risk exists, evaluating that risk and then managing that risk is standard fair in the compliance world. The deemed export rule is just one additional risk that should fall under compliance through export control. Although the penalties can be severe, the solutions to manage the risk are relatively straight-forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

May 19, 2011

Compliance Convergence: Export Control

Previously we have written about Compliance Convergence, which noted Compliance Expert Howard Sklar, the author of Open Air Blog, has termed as “the merging of control programs such as anti-bribery and anti-corruption, with anti-money laundering, and export control.”, in regard  to the Foreign Corrupt Practices Act (FCPA) and touched on briefly with regards to anti-money laundering laws and regulations. Today we will turn our attention to Howard’s third prong in Compliance Convergence, that of Export Control.

Generally speaking, a Company must comply with all applicable export control laws in the country of origin of the products including, in some instances, the components contained within the products and technologies they are exporting; and all applicable international sanctions that may not be directly addressed in national law (e.g., United Nations sanctions programs). Witness the recent sanctions entered into by the US, UN and EU regarding trade with Libya.

What are some of the lists that a company must check for each overseas transaction? They include the US Department of State’s International Traffic in Arms Regulations (ITAR), which control the export and re-export of military products and technologies. The ITAR site contains a list compiled by the State Department of parties who are barred by §127.7 of ITAR (22 CFR §127.7) from participating directly or indirectly in the export of defense articles, including technical data or in the furnishing of defense services for which a license or approval is required by ITAR.

The Bureau of Industry and Security (BIS) has two lists which a Company must review. These include 1) the Denied Persons List, which provides a list of individuals and entities that have been denied export privileges. Any dealings with a party on this list that would violate the terms of its denial order are prohibited; and 2) the Unverified List which provides a list of parties where BIS has been unable to verify the end use in prior transactions. The presence of a party on this list in a transaction is a “red flag” that should be resolved before proceeding.

The US Treasury Department, Office of Foreign Assets Control (OFAC) has regulations which may prohibit a transaction if a party one of these lists. These lists can include both the Specially Designated Nationals (SDN) list and the General Order 3 to Part 736 (page 9) which sets out the general order which imposes a license requirement for exports and re-exports of all items subject to the Export Administration Regulations (EAR) where the transaction involves a party named in the order.

Therefore, a company must ensure that the US government permits it to export (1) its goods; (2) to the buyer; (3) in a particular company. But more is required that simply checking the status of to whom a company might be selling directly to, even if such buyer is located in the US. Writing in the In-House Texas supplement to the March 7, 2011 edition of the Texas Laywer, Jackson Walker attorney Robert Soza, Jr. in an article entitled, “Establish an Effective Export-Compliance Program’ noted that “multiple US export-control requirements come into play if a company’s actions indicate that it knows that its goods will be exported abroad such as delivering a product to a US port.”

Soza goes on to write that the creation and implementation of an export control policy and program “minimizes the risk of non-compliance and may reduce penalties in the result of a violation.” He sets forth his guidelines of what an effective export control compliance program should include.

1.     Top and Middle Management Committee. The tone from management must support the company’s overall export control efforts.

2.     Continuous Risk Assessment. If a company does not currently have a compliance program, it should initiate an evaluation to determine if it has violated any US export controls laws or regulations in prior transactions.

3.     A written policy back up by a procedures manual. The policy should be spelled out in writing with the detailed procedures filled in on how to conduct an effective export control system.

4.     Ongoing training of employees. Training should be provided for all employees with international sales responsibilities, marketing, export and those involved with the hiring of foreign nationals. The training can be live or web-based. The training should be designed to provide employees with the keys which trigger day-to-day regulatory implications.

5.     Ongoing screening of employees, contractors, customers, products and transactions. There must mechanism through software or other methods for the continuous monitoring of these items and individuals. Simply checking any of the above once only provides a snapshot at the time the review was made. In this current compliance and enforcement environment such checks must be made on each transaction and more continually for employees, contractors, customers and products.

6.     Record Keeping (Document, Document, Document). If you do not keep records and document something you cannot measure it and if you cannot measure it you cannot improve. However, when dealing with the government, if you do not document it, you cannot prove it.

7.     Period Audits. After you have put your export control policy in place, your company should engage in an effective continuous export controls assessment and regular spot audits will help to ensure compliance.

8.     An internal program for the reporting of violations and appropriate mechanism for escalation of any export violations. In addition to some type of hotline for the reporting of any export control violations, your company should have a dedicated export control resource expert who can be available to answer question and generally provide assistance to those employees charged internally with export control.

9.     Appropriate corrective actions to hold employees accountable under a progressive disciplinary program and voluntary self-disclosure. A policy has no teeth if there are no repercussions to employees who violate the export control program. If there are violations, the government will expect to see discipline and training based on event.

(Any of this sounding familiar?)

Soza concluded his article by stating:
While it is often difficult to obtain senior management commitment to an export-compliance program [a company] simply cannot afford to sell their products and services internationally without such a program in place. Penalties for failure to comply with these requirements may result in the loss of export privileges, fines and imprisonment, not to mention damaging publicity.

We do not believe that we could have articulated it better. Compliance Convergence in these areas demonstrates that the ostrich days of a sticking your head in the sand regarding export controls are long gone. But just as convergence demonstrates the widening scope of compliance, we believe that it provides opportunities for cross-discipline compliance. Export control needs to talk to the FCPA compliance attorney and let them know the screening they perform on a regular basis. A company’s treasury or finance department needs to communicate its offshore payment policy regarding its prohibition of payment of any invoices in countries other than the home country of the payee or where the work was perform. There is an opportunity to learn from each of these disciplines so take advantage of the Compliance Convergence in your company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Blog at WordPress.com.