In July 2016, the U.S. Department of State, Directorate of Defense Trade Controls (DDTC) announced that it had re-initiated its Company Visit Program for companies engaged in ITAR-controlled work. The stated objectives of this program are:
- Advance DDTC’s understanding of how different companies establish and maintain an overall defense trade control program to fit the needs of their business;
- Allow DTCC to review a company’s defense trade compliance programs in the context of a Consent Agreement (CA) or adjudication of a Voluntary Disclosure (VD), Directed Disclosure (DD), or another compliance matter;
- Gather information to support the Directorate’s development of regulatory policy and practice;
- Assess and disseminate industry best practices, recommendations, and trends to benefit compliance programs and increase transparency.
Two types of DDTC company visits
DDTC announced that there were two basic types of visits under its program.
- CVP-Outreach (“CVP-O”): An extension of DDTC’s outreach activities unrelated to specific compliance matters; and
- CVP-Compliance (“CVP-C”): Designed for DTCC oversight activities and could involve a more in-depth look at a company’s compliance program.
While the announcement was only issued in July, the re-initiation of the program had begun a year before. DDTC has now published its first report on the completed visits that occurred between May 2015 and July 2016. Altogether, there were 14 completed visits during that period. Eight of these visits were CVP-C (related to oversight or involved in the monitoring of Consent Agreements). Six of the visits were CVP-O (for outreach purposes). Five of the visits involved foreign companies in Canada, Poland, Belgium and the UAE. The remaining visits were to U.S. locations.
Best practices announced from DDTC Company Visit Program
In summarizing its visits, DDTC noted a number of “best practices” and other compliance initiatives that company’s had undertaken. These include:
- Requiring suppliers to complete a standardized form identifying the jurisdiction/classification of their products and related technical data;
- Integrating export control processes into company quality systems and reviews;
- Physically segregating ITAR-controlled research (including research using ITAR-controlled articles or technical data) at universities;
- Providing foreign customers with a summary of TAA requirements, and tying those requirements to the contract with the foreign end-user;
- Incorporating export compliance reviews into IT systems that manage project lifecycles, so that the workflow requires approval from the export compliance function prior to the bid/no-bid business decision.
- Requiring self-classifications to be reviewed and signed by engineering and technology managers of the cognizant business and a senior technology manager from a separate business unit, serving as an independent peer reviewer.
- Using incentive programs, such as internal recognition and/or awards, to recognize employees for compliance activities.
If your company is already following some of these practices, great work! If not, these can serve as a guide for improvement.
Areas for improvement noted by DDTC during company visits
In addition to these best practices, DDTC also published a variety of recommendations and areas for improvement. These include:
- Outreach and training on ITAR compliance for foreign partners and customers.
- Processes for identifying dual and third country nationals (DTCNs) should include a requirement to review the bona fide regular employee status in accordance with ITAR Section 126.18.
- A U.S. applicant should consider including in contracts with foreign parties terms and conditions that ensure it has direct physical access to its U.S. Person employees providing defense services. This allows the U.S. applicant to directly oversee compliance of its employees, as required per ITAR 127.1(c).
- In order to maintain objectivity, universities should ensure internal, independent reviews are used to determine the ITAR-controlled status of current programs and future opportunities.
- Compliance personnel should identify and document all IT systems that store, or have the potential to store, ITAR-controlled technical data. A current record of who has access to these applications should be maintained.
There were even some “takeaways” for DDTC itself:
- DDTC should consider increasing its outreach and training initiatives for foreign parties to ITAR authorizations.
- DDTC should consider providing guidance specifying when a company would be expected to maintain access logs that can verify “potential” versus “actual” access to technical data.
The future of the program
Going forward, DDTC will continue its visits and, ultimately, if it stays the course and adheres to the original objectives, these visits will prove beneficial to both DDTC and to the industry. One has to wonder if the DDTC visits will ever evolve into joint visits by both DDTC and BIS? This would be for those companies who transact with both defense articles and dual-use items. The benefits of having both agency perspectives in educating companies and evaluating compliance programs to meet the requirement for both sets of regulations could be extremely advantageous and educational for all involved.
And after all, isn’t this the direction that Export Control Reform is supposed to be leading us?
Jim McShane is a Sr. Consultant, Trade Compliance for Export Solutions -- a full-service consulting firm specializing in ITAR and EAR regulations.