Export controls and the CIO

11 May 2010 View Comments
A Computing logo

The days when export controls related purely to the physical movement of goods are over. The increasingly virtual nature of global business is making intangibles the new export frontier and getting it wrong can lead to fines and even imprisonment.

Export controls are regulatory requirements placed on goods, transactions and technology by governments, to protect national security or foreign policy interests of the regulating country. These restrictions can range from sanctions or embargos against entire countries or to a specific business, to the requirement for a licence by the authorities to continue with a transaction.

Further reading

Export controls affect any business dealing with international transactions – from financial institutions to manufacturers. For example, international transactions can also include the passing of controlled technical data to foreign nationals. These transfers of intangible items are centred on controlled technology, which is defined as the specific information necessary for the development, production or use of goods – such as engineering drawings of a controlled item or encrypted software sent via email.

Some countries regulate exports through a single government agency. Others, as in the European Union (EU), have layered control bodies whereby member states are subject to pan-European regulation and often local, national controls as well.

The regulatory environment in the US is extremely complex – there are several government bodies that regulate export control. Separate governing bodies control commercial and military goods and technology. In addition, depending on the product or technology, government agencies such as the Nuclear Regulatory Commission may require approval for export as well.

An issue making export control more complicated for some exporters globally is that US laws apply to US-origin goods or technology throughout their lives, wherever they may go. Also, simply incorporating the controlled US item into a non-US product does not necessarily relieve the restriction of US controls even if a new product is the result.

The management of controlled technology is is becoming ever more challenging. For example, the following scenario is one where controlled data may be exchanged:

A manufacturer of aircraft navigational equipment is working collaboratively with subsidiaries located in the US, UK, Germany and China to develop the next generation of satellite navigation. Among the team, specifications are stored on a shared drive on a server located in the US that is accessible by all subsidiaries, though folder access is granted only to team members. Weekly conference calls are held to discuss status updates, share progress, discuss findings and challenges and agree next steps and responsibilities.

In the above scenario, there are a number of areas where export controls may be required. Navigational equipment is generally a controlled product; the data surrounding the technical specifications and manufacture of the product will be controlled as well. As this is a joint project involving a US entity, work conducted by the US team will attach US export controls. In addition, the US export controls may extend to work completed by the UK, German and Chinese entities due to the server location being in the US. As files are saved on the shared drive, they are essentially being exported to the US from the originating country. As team members in various countries access these files, they are again being exported from the US to the retrieving country. Each time these files are accessed by a person outside the US (or by a foreign national within the US), US export controls apply. It doesn’t end there; the weekly conference calls held by the team could attract export controls as well due to the technical nature of the information being discussed.

This scenario will hit close to home for many companies, across many industries – from aerospace and defence, electronics and chemical manufacturers to engineering design firms and even universities. Everyone is always looking for the next greatest thing and to be the one who discovers or develops the next industry breakthough, and this is often best accomplished by diverse, multinational teams. The challenge here is that even though a company may deal with goods and technology not currently controlled, the next generation could very well exceed technical thresholds that push into the export control arena. Also, you can see from this example that the mere placement of a server can also add complications. Can you imagine the challenges arising through cloud computing?

How about another scenario:

A software house has developers located in multiple locations/countries; some of the developers may not be direct employees of the software company. A team is formed to develop a software application. Various applications for the software are created by various team members and will include software developed inhouse, open-source code and possibly third-party-developed software.

This situation raises a number of export control challenges and potential issues. Key to this scenario is the confirmation if any of the software contains encryption – if yes, elements such as the algorithm name and bit strength would also be required to identify the level of export controls relevant to the item. If the developers are in fact using open-source or third-party source code, do we know the original purpose for which it was developed (ie was it for military use)? Is any of the source code of US origin? As in our previous example, we would also need to consider where the server is located that would house the various applications and code. Should any code containing encryption be housed on this server, depending on the location you may have to obtain import licences as well (ie France, Hong Kong).

Contravention in any of these scenarios could lead to export penalties, which include fines and imprisonment – in the US, criminal penalties range from $1m (£662m) per violation and/or up to 20 years’ imprisonment. Likewise, in the EU, where member states are empowered to choose the penalties that seem appropriate, the UK can impose unlimited fines for criminal penalties and up to 10 years’ imprisonment.

Situations that are not wilful violation of export control laws attract civil penalties – the US imposes $250,000 per violation or twice the value of the transaction for dual use/commercial violations and up to $500,000 per violation for military or International Traffic in Arms Regulations violations. Likewise, Germany enforces administrative fines up to €500,000 (£426,000) per violation. Many countries, such as the US and China, also reserve the right to suspend a company’s export privileges.

Many of the export violations that have been prosecuted have been issued by the US authorities, even to foreign companies or subsidiaries. The increased focus on extraterritorial compliance is leading authorities in foreign countries to take a closer look at compliance against local laws and regulations.

So do export controls apply to your business and how do you protect yourself?

Initially determining whether you should be concerned with export controls can simply start with considering what products/services do you sell or provide to customers? Where are those customers located? Do you undertake research and development using teams of individuals based in various countries and of various nationalities? Although these questions will not necessarily confirm the need for export controls, they will provide you with the foundation to begin a deeper examination.

If you believe export controls are a concern, there are a number of actions to take:

  • Establish an export management programme, which includes the commitment of senior management and a written set of compliance standards and procedures.
  • Procedures should include screening everything from employees to customers to products to transactions. It is important to evaluate operations to identify what products, technologies or transactions may be subject to export controls. Procedures should also be in place to classify, obtain and monitor export licences.
  • Ongoing compliance training and awareness, for all staff, not just those directly involved in affected areas is essential.
  • A solid record-keeping programme should be established, or export record-keeping requirements added to existing company policies.
  • Reviews of IT infrastructure and access controls are also important. Continued risk assessment complete with internal and external audits are essential best practices to complete any compliance programme.
  • Last, but certainly not least, companies should establish ways to identify non-compliance and implement corrective actions.

Awareness and action are key to the management of export controls which, if handled correctly, should not create issues for a business. The challenge is considering the implications of these far-reaching and complex laws on all aspects of your global and virtual business operations, to ensure you get them right.

Heidi Miller is indirect tax manager in KPMG’s UK Trade & Customs Practice

Reader comments
blog comments powered by Disqus
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

39 %
26 %
14 %
21 %