What’s in your compliance program?

Capital One is famous for its slogan, “What’s in your wallet?”  But in the world of trade compliance officers, the pertinent question might be, “What’s in your compliance plan?”

Earlier this year, OFAC published “A Framework for Compliance Commitments.”  This framework provides direction and insight into what the agency believes are essential elements of a “risk-based sanctions compliance program.”  The publication represented compliance program guidelines as published by the four regulatory agencies  (ITAR, EAR, FCPA and OFAC).  As you might expect, there are some common elements that exist with all four regulations as shown by the table below:

There are also some individual elements that we find unique to each jurisdiction and its controls:

With this in mind, is there a minimum or a maximum of what should be in a Compliance Plan? It could be asserted that the common elements above represent a minimum for the jurisdiction your Compliance Plan addresses.  However, is this all that should be required?  There are a number of factors to consider when developing a compliance manual.  As BIS advises, “…your written manual could range from a dozen or so pages to 100 or more.”

For more than 10 years, Export Solutions has successfully helped companies of all sizes develop, implement and train their compliance programs.  Our advice is always the same:  Your program should fit your company; not the company fit a compliance manual.  This means there are a variety of factors that should be considered when creating a compliance program, including:

• Types of transactions that your company is involved in
  • Manufacturing, exporting, shipping, financial
  • If manufacturing/ exporting, the types of products/technology that your company designs, develops, manufactures, produces, imports or exports
  • Are products subject to export controls (even if the company does not export)? Which controls?
• Structure of the company
  • US or Foreign ownership/control
  • US or Foreign subsidiaries/affiliates
• Size of you company
  • Are there multiple business locations?
  • If so, are the activities of the multiple sites diversified?
• Workforce
  • US Persons/Foreign Persons
  • Contractors/Consultants

In addition to the elements recommended by the agencies administering the four jurisdictions, Export Solutions also recommends to its clients that they consider adding additional sections to their Compliance Plan as appropriate to their business(s). These can include:

Program Organization, Personnel and Responsibilities

• Identify those who will have responsibilities for maintaining the export compliance program to all employees and contact information. Not just  the Export Compliance staff, but should also include subject matter experts who are knowledgeable about Export Compliance requirements, as well as company compliance processes and procedures.

U.S. Department of State Registration

• For those companies that are required (by law) to be registered as a manufacturer and/or exporter and/or broker of Defense Articles or provide Defense Services, this section explains the Registration and Renewal of Registration processes; as well as the required Notifications.

Classification and Export Controlled Items

• The cornerstone of every Export Compliance Program is the ability to accurately classify products and/or data/technology and/or software, thereby identifying the regulations applicable to those products and/or data.

Licensing, Agreements and Other Approvals

• When is a license required? What type of license or other authorization needs to be obtained or can be utilized? What information is necessary to apply for a license?

Employee Status 

• Every company is composed of a collection of “moving parts.” Probably the most important “moving part” are your people (employees, consultants and contractors). Are they U.S. Persons entitled to have access to controlled data/products? If not, how do you segregate them from access to controlled data/products?

Visitors and Meetings

• How visitors should be compliantly admitted to your company and meetings to ensure that violations through the unauthorized provision of Technical Data/Technology and Services do not occur.

Sales and Marketing

• First contact with potential customers and when properly trained to be knowledgeable about export control requirements will know how to treat every request for quote and all accompanying data to ensure that your company is compliant from the beginning and continuing throughout every transaction.

Sourcing and Purchasing

• Export violations can occur without traditional exports having taken place. Procurement needs to know which vendors and subcontractors your company is dealing with. If your vendor/subcontractor is being provided data that is controlled for export, this section makes it clear what you need to know/verify and how to do it.

Control of Technical Data, Software & Information

• The significant number of export violations that are committed relate to unauthorized access of controlled data by foreign persons. This section advises and provides aids to complying, marking, protecting, storing (electronic storage) and recording export controlled data and manage the risks of a violation.

Travel and Handcarries     

• Company management and employees who travel internationally need to know what they can take with them; specifically what they need licenses for and what cannot be exported because there is no export authorization in place permitting the export. Laptops, Cell phones other electronic devices taken to foreign countries, can result in violations if they contain export controlled data in emails or attachments or files.

Shipping and Logistics    

• This section provides guides to what Shipping and Receiving’s responsibilities are and what they should be reviewing in the Shipping Documents for worry free Export.

Mergers and Acquisitions

• The US Government levies requirements for notifications of Mergers, Acquisitions and Divestitures. Failures to do so can result in penalties. This sections guides companies through the requirements.

Anti-Boycott

• A brief section of Anti-Boycott Regulations and Reporting requirements

Automated Export System (AES) / ACE

• This section provides helpful information and steps to follow if filing Electronic Export Information (EEI) in AES/ACE yourself and information on how to review filings by designated others on your company’s behalf.

To repeat, not every element has its place with every company and care should be taken to choose the elements that “fit” your company.  Here are some additional suggestions to create an effective compliance program for your organization:

• If there is already a documented process or procedure within the company that (with modification) can be effective as an element – modify and use it – don’t drown the company in similar but distinct processes and procedures for the same subject matter.
• Be selective as to what is really required or would be beneficial to the company. As compliance specialists, we might find a regulation or a policy interesting, but if it does not apply to your company – keep it in a personal folder .. not in your compliance plan.
• Get input from specialists within the company (e.g., engineering or R&D for classifications), but be judicious in forming a review team. Too big and you risk having nothing ever get beyond drafts or ideas.  So, use the company assets best suited for the Compliance Plan element being drafted.
• Always be forward thinking. If there are business potential opportunities involving transactions not currently covered, develop a plan for how you will address these if/when they arise.
• Get assistance in formulating and implementing your Compliance Plan. A small investment now can represent a large savings later.

Finally (and most importantly), put away your hammer and chisel!  Compliance programs should never be “written in stone.”  A good program is designed to be a “living and breathing document” that gets reviewed, modified and enhanced for effectiveness and efficiency on a constant basis.

Do you need help developing or improving your company’s compliance program?  Schedule a no-charge consultation with one of our team members today, so we can learn more about your needs and get started helping you.  You may also wish to view the following guidelines from these government agencies:

FCPA:  https://www.sec.gov/spotlight/fcpa/fcpa-resource-guide.pdf

OFAC:  https://www.treasury.gov/resource-center/sanctions/Documents/framework_ofac_cc.pdf

BIS / EAR:  https://bis.doc.gov/index.php/documents/pdfs/1641-ecp/file

DDTC / ITAR:  https://www.pmddtc.state.gov/sys_attachment.do?sys_id=35c9a068db995f00d0a370131f9619bb