An Overview of US Export Control and Economic Sanctions Laws
Every company that sends its products, software, technology, or provides services outside of the United States is subject to US export control and economic sanctions regulations. From the largest multinational corporations to the smallest start-ups, from manufacturers of software to softballs, from toothpicks to pharmaceuticals, from rock candy to rocket fuel, all US companies and their employees, along with anyone present in the United States, US citizens wherever they are located, and companies transferring US-controlled items must familiarize themselves with these regulations to ensure that they understand what is required to comply. In addition, companies that do not export products can still be subject to these regulations if they employ foreign nationals (individuals who are not US citizens, permanent residents, or refugees), have prospective customers or other visitors who are foreign nationals, re-export U.S.-controlled products, or provide a service available outside of the United States. Penalties for inadvertent noncompliance can be steep, with civil monetary penalties of more than $330,000 per violation and even higher criminal penalties.
The US export control regulations were enacted to ensure that transfers of items, technology, or services are accomplished in a manner that is consistent with the US government’s national security and foreign policy goals. The US economic sanctions laws are promulgated to restrict trade, investment, and financial transactions based on these foreign policy and national security goals. Coordinating regulations also restrict a US company’s ability to participate in unsanctioned foreign boycotts.
The purpose of this article is to provide an overview of the primary laws and regulations involved and provide guidance on how to develop and implement policies and procedures that will be effective in helping your organization maintain compliance with these laws. This article is, of course, meant to be a broad overview of the export control and economic sanctions laws and related compliance tools. These laws contain many fine points and exceptions, which although not addressed in this chapter, are important to appreciate if they are relevant to your company’s business. Thus, we urge you to dig deeper into the regulations when a transaction appears to require licensing or if you are to embark on a business strategy where foreign person involvement is required. Finally, we note these laws frequently change in response to changes in US perspective on national security and foreign policy. Therefore, it is essential for companies and individuals engaged in international business transactions to check the official versions of the export control and economic sanctions laws, as well as the Federal Register, on an ongoing basis.[2]
When using the term export control laws, we are primarily talking about the Export Administration Regulations (EAR), administered by the U.S. Department of Commerce’s (Commerce) Bureau of Industry and Security (BIS); the International Traffic in Arms Regulations (ITAR), administered by the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC); and trade and economic sanctions administered by the Office of Foreign Assets Control (OFAC) at the U.S. Department of the Treasury (Treasury).
The Export Administration Regulations
Products, software, and technology that have a primarily commercial use fall under the EAR. The EAR include restrictions on direct exports from the United States; reexports of US-controlled products, software, and technology from one country outside of the United States to another; transfers of US-controlled products from one foreign person to another within the same country; and the disclosure of US-controlled technology to a foreign person, whether in the United States or abroad. These restrictions include the export, reexport, or transfer of US-controlled products, software, and technology, as well as the reexport or transfer of certain items produced outside of the United States that are either based on certain US-controlled technology, incorporating or manufacturing or designed using certain U.S.-controlled software or technology, or that incorporate a certain amount of US-origin parts and components. The restrictions imposed by the EAR generally fall into one of three categories: item-based controls, end-user-based controls, and end-use-based controls.
Item-Based Controls
A key feature of the EAR is the Commerce Control List (CCL),[3] a list of products, software, and technologies that are controlled based on their technical parameters. Classification of products, software, or technologies on the CCL generally also provides guidance on the countries to which the export, reexport, or transfer is controlled and the circumstances under which the products, software, or technologies may be exported, reexported, or transferred. Thus, consulting the CCL and identifying the applicable Export Control Classification Number (ECCN) is the first and an important step in determining whether a license is required under the EAR. Products, software, and technologies that are subject to the EAR, but not included in a specific ECCN, are classified as EAR99. EAR99 items are still subject to US export controls.
As noted above, the EAR also provide parameters for the export, reexport, or transfer of US-controlled technology. Under the EAR, the term “technology” is broadly defined to include “information necessary for the ‘development,’ ‘production,’ ‘use,’ operation, installation, maintenance, repair, overhaul, or refurbishing…of an item.” Technology includes “written or oral communications, blueprints, drawings, photographs, plans, diagrams, models, formulae, tables, engineering designs and specifications, computer-aided design files, manuals or documentation, electronic media or information revealed through visual inspection.”[4]
Whether a license is required for the export of products, software, and technologies is determined by the item’s classification in combination with the country that it is destined for the end user involved and the expected end use. Where products, software, and technologies are subject to a licensing requirement under the EAR, one of several license exceptions may be available, thus permitting, in some cases, an export, reexport, or transfer without the need to first obtain a license. A description of these license exceptions can be found in Part 740 of the EAR.[5]
End-User Controls
In addition to the item-based controls described above, the EAR also includes end-user-based controls that prohibit, impose a license requirement on, or mandate additional due diligence prior to exports, reexports, and transfers of products, software, and technologies subject to the EAR. The US government has determined that these individuals and entities may pose a risk to US national security or foreign policy goals or that the end user may divert such products, software, and technologies to a program, country, or end user who does so. The lists include the following:
-
Denied Persons List: BIS’s Denied Persons List (DPL) identifies those persons denied export privileges under the EAR by BIS as a consequence for having violated the EAR. Persons on the DPL are prohibited from engaging in any transaction involving any products, software, or technologies, or in some cases, activities, subject to the EAR.[6]
-
Entity List: The Entity List, maintained by BIS, identifies those persons whose activities BIS has determined pose a risk to US foreign policy goals. Placement on the Entity List means that a license is required from BIS before most, if not all, products, software, or technologies subject to EAR can be sent to a listed entity. Generally, BIS has a presumption of denial for such license applications.[7]
-
The Unverified List: BIS’s Unverified List (UVL) is a list of persons involved in prior transactions subject to the EAR for which BIS has not determined the legitimacy of that entity or the veracity of the entity’s intention to properly use US-origin products, software, or technologies. Being listed on the UVL neither prohibits a company from receiving US-controlled products, software, or technologies, nor imposes a new license requirement, but rather raises a red flag with respect to transactions that include these entities. Companies are required to clear such red flags, through additional due diligence or and by obtaining additional written assurances, before proceeding with a transaction. If an exporter cannot clear up the red flags, it must apply to BIS for a license for the transaction before proceeding further.[8]
Additionally, other agencies maintain similar lists of restricted parties. These lists include:
-
OFAC’s Specially Designated Nationals List and Sectoral Sanctions Identifications List,[9] and
-
U.S. Department of State’s list of Foreign Terrorist Organizations[10] and List of Statutorily Debarred Parties.[11]
The licensing requirements for exports, reexports, or transfers to parties on any of the lists typically extend to all products, software, and technologies subject to the EAR, including items listed on the CCL as well as items classified as EAR99 and including products manufactured and developed abroad if determined to be subject to the EAR.
In addition, to comply with the EAR, prior to exporting, a company should screen for red flags, listed in the EAR’s “BIS’s ‘Know Your Customer’ Guidance and Red Flags.”[12] When present, red flags can “indicate that the export may be destined for an inappropriate end-use, end-user, or destination.” To assess whether such red flags are present, a company should review transaction information provided by a customer with an eye toward identifying anything that may not align with the norm for the particular business or products involved. If red flags appear, a company must conduct additional due diligence into the customer’s representations in an attempt to clear the red flags. If a company is unable to clear a red flag, a company is, under the EAR, now considered to know or have reason to know that a violation may occur and, thus, must mitigate a potential violation by either cancelling the transaction or, prior to exporting, obtain a license or other guidance from BIS.
The EAR also place certain restrictions on exports and reexports to and transfers within countries embargoed or sanctioned by the US government. Currently, the EAR impose significant restrictions on any transactions involving Belarus, China, Cuba, Iran, North Korea, Russia, Syria, and sanctioned regions of Ukraine.[13]
End-Use Controls
The EAR also impose a license requirement on the export, reexport, or transfer of any item subject to the EAR (both those on the CCL and classified as EAR99) if, at the time of the export or reexport, the person knows the item will be used directly or indirectly in certain nuclear, missile, chemical, or biological end uses. Additional end-use (and end-user) controls exists on exports of items to be used in military end uses (or provided to military end users) in Belarus, Burma, Cambodia, China, Russia, and Venezuela. These restrictions apply even to EAR99 items in many cases.
The International Traffic in Arms Regulations
The export, reexport, or transfer of products, software, and technical data that are primarily useful for military purposes often fall under International Traffic in Arms Regulations (ITAR). These items, called defense articles and controlled under the ITAR, are listed on the United States Munitions List.[14] Additionally, the ITAR control “defense services.” These defense services include “[t]he furnishing of assistance (including training) to foreign persons, whether in the United States or abroad in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing or use of defense articles.”[15] Thus, it is important to note that if you are working with a military customer, whether US military or foreign military and whether directly or with a government contractor, the ITAR may apply unless you are strictly selling unmodified, unconfigured, commercial off-the-shelf equipment without installation or integration services.
The ITAR include restrictions on any exports from the United States or reexport to or transfer within a third country of US-controlled, ITAR-controlled products, software, technical data, or services as well as the transfer to non-US nationals, whether in the United States or abroad, of US-controlled technical data or defense services.[16] Export licensing policies under the ITAR are, not surprisingly, more restrictive than under the EAR, and many countries, including China, are ineligible to receive licenses under the ITAR.
These regulations also impose registration requirements for exporters, manufacturers, and brokers of ITAR- controlled goods and a mandate to report fees and commissions paid in connection with certain sales of US-controlled defense articles, defense services, and related technology.
Economic Sanctions and Other Trade-Related Sanctions
Trade and economic sanctions laws and regulations deal with country-specific restrictions or prohibitions administered by the OFAC. These rules restrict trade, investment, and financial transactions as well as the provision of or receipt of services with certain countries by US persons and US companies, including branches outside of the United States and, in some instances, US-owned or controlled subsidiaries.
Simply put, there are two main categories of OFAC sanctions. First, a short list of countries and territories that are subject to comprehensive embargoes on all trade (imports and exports), investment, exchange of services (even when free), and any other form of activity or transaction. These areas include Cuba, Iran, North Korea, Syria, and sanctioned regions of Ukraine. In additional countries, the property of listed individuals and entities is “blocked,” financial transaction are prohibited or restricted, or other restrictions exist on the export of products, technology, and services to certain listed individuals and entities. In these countries, there is no restriction on export to or import from these countries unless the parties involved are listed on a restricted parties list.[17]
More recently, OFAC has implemented a third system which is the imposition of restrictions on the provision of certain types of services, primarily with Russia and Belarus.
In general, OFAC regulations, beyond prohibiting exports and reexports to sanctioned countries or persons, prohibit nearly all trade (imports and exports), investment, exchange of services (even when free), and any other form of activity or transaction between “US persons” and any sanctions target. The prohibition on the provision of services would include many online services and products hosted on the internet, even if no software is available for download or when provided for free. However, the regulations include some authorizations for the export of certain items and services, including information and informational materials and internet-based communications services, software, and equipment.
It is important to note that both BIS and OFAC may have jurisdiction and licensing requirements for exports and reexports to the embargoed countries. It is, therefore, important to consult both the EAR and OFAC regulations to determine how to proceed.
Both BIS and the Department of the Treasury’s Internal Revenue Service administer antiboycott regulations that are designed principally to counter the Arab League boycott of Israel and Israeli goods. These laws apply directly to US-owned or controlled subsidiaries.