“Who has access to what?” Export controls and your company data

Last week, FLIR Systems, Inc. entered into a Consent Agreement with Department of State, Directorate of Defense Trade Controls (“DDTC”) to settle allegations of violations of the International Traffic in Arms Regulations (“ITAR”). There were 347 alleged violations cited in the Proposed Charging Letter. These violations included 219 counts of unauthorized exports to Foreign-Person employees; 106 counts for failure to properly apply for and manage DDTC licenses and exemptions; and 20 counts for failure to disclose payments under ITAR Part 130.

The violations related to unauthorized exports to Foreign Persons appear to have occurred between FLIR and its Swedish business unit (FLIR AB of Sweden). This includes various exports and re-exports by FLIR to FLIR AB of ITAR-controlled Defense Articles and Technical Data to Foreign Person employees. Some of the employees involved were Dual Nationals and Third Country Nationals, as well as nationals of §126.1 countries. Significantly, FLIR granted employees permissions to its information technology (IT) system, which resulted in unauthorized access by foreign persons to ITAR-controlled technical data. This resulted in approximately 1,350 foreign-person employees having unauthorized access to all ITAR-controlled technical data (over 1,400 files) located on FLIR’s servers in 22 non-U.S. facilities.

A closer look at FLIR’s violations

The violations related to licenses and exemptions covered a myriad of different infractions, including:

  • Exporting without a license
  • Re-exporting without authorization
  • Non-compliance with terms or conditions of licenses or approvals
  • Failure to maintain records required for the use of exemptions
  • Non-reporting of theft/loss of defense articles approved for temporary export
  • Incomplete filing of Electronic Export Information in AES/ACE
  • Failure to keep accurate shipping records (as required by the ITAR)
  • Misrepresentations or omissions of material facts in 20 license applications, as well as other licensing-related violations

Finally, the charging letter alleges that FLIR failed to disclose (per §130.9(a)(l)) that it had paid or offered or agreed to pay fees, or commissions, with respect to a sale for which a license or other approval was required. It should be noted that, three years ago, FLIR settled violations of the federal Foreign Corrupt Practices Act (FCPA) with the Securities and Exchange Commission over trips and gifts for certain Saudi Arabian officials.

The cost of non-compliance

FLIR was fined $30 million for these alleged violations under the terms of the agreement. Half of this penalty was suspended with the understanding that FLIR would institute required remedial compliance measures, which include:

  • The appointment of a Designated Official or Internal Special Compliance Official for the four years that the Consent Agreement will be in effect;
  • FLIR will ensure that adequate resources are dedicated to ITAR compliance throughout its ITAR-regulated operating divisions, subsidiaries, and business units;
  • Within 12 months, FLIR will implement strengthened compliance policies, procedures, and training;
  • Two audits are to be conducted by an outside consultant with expertise in AECA/ITAR matters and approved by DDTC. In addition to auditing FLIR’s compliance processes and procedures, the first audit will also assess FLIR's information technology and physical security at its facilities conducting ITAR-regulated activities worldwide.

Probably the most significant behavior of FLIR leading to this Consent Agreement was that it failed to classify, identify, secure and protect Technical Data from its foreign person employees by allowing unfettered access to 1,400 files containing Technical Data on its servers in 22 locations. Furthermore, FLIR did not appear to exercise the required due diligence in ascertaining and identifying Foreign Person employees who were Dual Nationals or Third Country Nationals.

An additional significant fact from the agreement: Although FLIR had filed a number of voluntary disclosures, in at least one instance, it appears the company failed to implement the anticipated corrective action involving foreign-person employees, thereby violating ITAR §127.2 (“Misrepresentation and Omission of Facts”).

Lessons learned: foreign person employees

There are several “compliance cornerstones” that are well-known in this industry. These include such maxims as:

  • Know the regulations.
  • Know your products and the data behind those products.
  • Know the controls on your products and data.
  • Know your end users and their end uses.

In light of FLIR’s latest consent agreement, I think we can add the following “cornerstones” to the list:

  • Know your employees and their nationalities.
  • If you disclose a violation and cite a corrective action, make sure to follow-through and actually perform that action.

If you have questions or need help with your company’s ITAR compliance, or if you believe you have a violation, we can help! Please schedule a no-charge consultation with our team today.

Jim McShane is a Sr. Consultant, Trade Compliance for Export Solutions -- a full-service consulting firm specializing in ITAR and EAR regulations.