1 / 60

Export Controls: In the Trenches: Hands-On Approach to Export Compliance

Export Controls: In the Trenches: Hands-On Approach to Export Compliance. NCURA REGION VI & VII 2011 SPRING MEETING APRIL 3 - 6, 2011. Export Compliance Program. Presentation Overview. Licenses and Other Requests. Presenters: Kay Ellis Adilia Koch. Technology Control Plans.

allene
Download Presentation

Export Controls: In the Trenches: Hands-On Approach to Export Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Export Controls: In the Trenches: Hands-On Approach to Export Compliance NCURA REGION VI & VII 2011 SPRING MEETING APRIL 3 - 6, 2011

  2. Export Compliance Program PresentationOverview Licenses and Other Requests Presenters: Kay Ellis Adilia Koch Technology Control Plans Recordkeeping Voluntary Disclosures

  3. Export Compliance: “Preventing violations” Keeping your campus compliant

  4. Develop an Export Compliance Management Plan • Risk Assessment – Where are the high risk areas? • Shipping • Procurement • Sponsored Research • Specific colleges/units • Develop “best practices” and tools • Checklists • NDAs, MTAs • File for licenses and exemptions • Technology Control Plans (TCPs) • Manual • Training • Maintain export control website • Recordkeeping

  5. Managing export controlled research Assuming you can’t negotiate out the restrictive clauses - how do you manage the export controlled project?

  6. Determining the need for a license (Export Controls Review) Questions to Ask: • What is the nationality of researchers INCLUDING Professors and Research Assistants (grad students/post-docs)? • Will the researcher or grad student be receiving restricted information? • Is it EAR controlled? • Is it ITAR controlled?

  7. Determining the need for a license (Export Controls Review) Questions to Ask: • Is the project strictly defense-related? • If it’s ITAR, will the foreign national grad student need to discuss the data with the sponsor? • Destination: Is the research technology or goods going overseas to a foreign company, government or individual? • Does the PI want to take the technology/equipment/data with him or her?

  8. Determining the need for a license Steps to Take: • Determine if license is needed for the technology/end user/end use • Determine if license exemption or exception is available

  9. Do I need to be concerned about export controls in this research? • Public domain, and • No equipment, encrypted software, listed-controlled chemicals, bio-agents or toxins, or other restricted technologies are involved, and • Information/software is already published, and • There is no contractual restriction on export, or • Fundamental Research • (note definitions and caveats associated with this exemption) • Equipment or encrypted software is involved, or • Technology is not in the public domain, and • Technology may be exposed to foreign nations (even on campus) or foreign travel is involved, and • The equipment, software or technology is on the Commerce Control List, or • Information or instruction is provided about software, technology, or equipment on the CCL, or • The foreign nationals are from or the travel is to an embargoed country • The contract has terms e.g. a publication restriction that effect the Fundamental Research Exemption • Equipment, software, chemical, bio-agent, or technology is on the US Munitions List (ITAR), or • Equipment, software, chemical, bio-agent or technology is designed or modified for military use, use in outer space, or there is reason to know it will be used for or in weapons of mass destruction, or • Chemicals, bio-agents or toxins on the Commerce Control List are involved, or • The contract contains a restriction on export or access by foreign nationals Probably (further review is required) License May Be Required YES License Will Be Required NO 9

  10. Determining the need for a license If no exceptions or exemptions, determine what kind of license is needed - • EAR • ITAR • OFAC

  11. What next?! Next steps: • Get a license • Set up a Technology Control Plan • Train the project personnel • Audit the Plan • Keep records

  12. Register first! • If ITAR - must be registered with State (DDTC) • http://www.pmddtc.state.gov/registration/index.html • $2250 flat fee for first-time users and universities or organizations not subject to taxation • Need a digital certificate • License submitted through D-Trade • If EAR – must register with Commerce (BIS) • Free! • http://www.bis.doc.gov/snap/pinsnapr.htm • If OFAC – no registration necessary

  13. Bureau of Industry & Security(BIS): SNAP-R licenses • Deemed Export License (BIS 748P-B) • Licenses are required for release of controlled technology or software to a foreign national only if a license is required for the export of such items to the home country. • Commodity Classification • Review the Commerce Control List (Part 774 Supplement 1) to identify (approximately) the ECCN or ECCNs that seem to be appropriate. Try to describe your item/technology in the control parameters used in the CCL entries. • Shipping license (BIS 748P-A) • http://www.bis.doc.gov/snap/index.htm

  14. Submitting an OFAC license • No required form – provide a detailed description of proposed transaction, including names and addresses of all involved • States in the license records shall be made available upon demand for at least 5 years • Call Licensing Div. (202) 622-2480 or Compliance Div. (202) 622-2490 for status http://www.treasury.gov/about/organizational-structure/offices/Pages/Office-of-Foreign-Assets-Control.aspx

  15. Most Commonly Used ITAR Forms and Agreements • DSP-5 • License for permanent export of unclassified defense articles and related unclassified technical data • License for foreign employees/students • “Vehicle” for online submission of TAA • Technical Assistance Agreement (TAA) • an agreement for the performance of a defense service(s) or disclosure of technical data

  16. Most Commonly Used ITAR Forms and Agreements • DSP-83 Nontransfer and Use Certificate required for export of significant military equipment (SME) and classified articles/data • DSP-73 License for Temporary Export of Unclassified Defense Articles • Commodity Jurisdiction (CJ) – Purpose is to determine whether an item or service is covered by the U.S. Munitions List (USML)

  17. Commodity Jurisdiction (CJ) Requests: “What to do when you don’t know what to do” Only State can determine jurisdiction

  18. EAR or ITAR? • Need to go to the authority - State Department has sole authority • not the PI • not the Sponsor • not DoD • not Commerce • You do not need to be registered with State to submit a CJ

  19. Before you start writing… • Ask yourself the 3 most obvious questions • Who is funding the project? (DoD? NASA? NIH?) • What is the intended end-use? (Military? Commercial? Both?) • What is the actual technology involved? (Surveillance? Space?)

  20. Then ask yourself these… Does the item or technology have predominant military, space or intelligence application? Was it designed, manufactured or tested to meet military or commercial specifications? What is the current predominant application? Does it have performance equivalent (in form, fit and function) to an item used for civil application? Is there sufficient justification for Commerce or State Department jurisdiction?

  21. If it looks like a duck… The CJ process is there to use when there is doubt about a technology’s or commodity’s jurisdiction When writing a CJ, you’re usually trying to argue your item is not subject to the ITAR CJs take time to write and even more time to process Don’t waste time on a CJ if there is no doubt your project is controlled under the ITAR and you have no justification for reconsideration If the intended end-use is for a military application, there is no doubt – it’s ITAR-controlled

  22. And it sounds like a duck… Follow your instincts Don’t believe everything PIs tell you no matter how confidently or definitively they state it Most PIs, unless they’ve worked in industry, are not experienced with or savvy about these regulations – high level of naiveté Dig for information, ask lots of questions Ask them again and again

  23. Some assertions I’ve heard…. “This (satellite) information can’t be ITAR-controlled to Japan – they’re a peace-loving nation. They are our allies.” “DHS doesn’t fund ITAR-controlled work because DHS is a civilian law enforcement agency.” “We can’t call it ITAR because we don’t know the end use. The sponsor won’t tell us because it’s classified.” “I have a document marked ‘ITAR-controlled’ but it’s also marked ‘uncontrolled when printed.’ I have a printed copy so I guess it’s not export-controlled.”

  24. It is a duck Prime is DoD Sponsor won’t tell you which agency within DoD Contract terms and conditions contain restrictions on publication and participation of foreign nationals Statement of Work asserts “innovative and advanced research” End-use is for a military application It’s an ITAR duck

  25. Doubt arises when… The sponsor’s determination differs from yours You’re modifying a defense article substantially for a commercial purpose* You are collaborating with another university that is treating the project differently You request a classification or a license from BIS and they advise you to submit a CJ *If you’re modifying an item for a military purpose, it’s ITAR-controlled.

  26. Tips on writing CJs • Include as much information as possible • PI or technical staff must participate in writing the CJ – they need to explain the technology clearly • Try to anticipate questions • Don’t try to fudge • Predominant means most of the time • Identical means exactly the same • Modified means modified – no matter how insignificant the change may seem

  27. Tips on writing CJs • Two legitimate arguments: • Your commodity is not a defense article and is not on the USML • Your commodity was a defense article but has been modified so it no longer has military application • Tell them how you think it should be classified, e.g. Dual-use, EAR99, ECCN 3A992, etc.

  28. *as of September 3, 2010 Tips on writing CJs • Follow the Guidelines – these are not in the regulations – they are online see: http://www.pmddtc.state.gov/commodity_jurisdiction/index.html • DDTC often posts information on its webpages – always check for the latest information • CJs must be uploaded* to DDTC using their Electronic Form Submission software. Requests must include fully executed DS-4076 CJ Form and all supporting documentation • 120.4 (c) revised – no longer need original and 7 collated copies!

  29. CJ Processing Interagency review Per DDTC usually less than 65 business days May get calls for additional information, be ready to answer or have PIs and Researcher prepared to respond Be courteous and professional and make sure the PI and Researchers are as well Don’t blame the reviewers, they’re just doing their jobs

  30. Documenting Export Controls Compliance: Technology Control Plans Elements of a Technology Control Plan

  31. License or Technology Control Plan? • In some situations it is possible to put a TCP in place instead of applying for a license • A TCP is simply a plan that outlines the procedures to secure controlled technology (e.g., technical information, data, materials, software, or hardware) from use and observation by unlicensed non-U.S. citizens • If this is not possible, then a license or technical assistance agreement would be needed

  32. Technology Control Plans (TCPs) • If you have export-controlled projects at your university you need technology control plans • Elements of a TCP • Commitment • Personnel Screening • Physical Controls • IT Security • Recordkeeping • Communication and Training • Ongoing audits and assessments

  33. When do you need a TCP? • In conjunction with a Technical Assistance Agreement (TAA) – Dept. of State • In conjunction with a Deemed Export license – Dept. of Commerce • In conjunction with an agreement that does not allow foreign nationals • In conjunction with an agreement that involves controlled technology – includes NDAs • Or in conjunction with any project that involves controlled technology!

  34. What are some key elements to consider in developing a TCP? • A TCP is project-specific! • Authorized personnel should be identified • Export-controlled information must be identified and marked as export-controlled • Project data and/or materials must be physically shielded from observation by unauthorized individuals by operating in secured lab spaces or time blocks • Work products such as soft and hardcopy data, lab notebooks, reports, and research materials should be stored in locked cabinets preferably in rooms with key-controlled access

  35. More elements to consider….. • Key controlled access by authorized personnel only • Equipment or internal components such as operating manuals and schematic diagrams containing identified export-controlled technology must be secured • Disposal of export-controlled information • Discussions about the project • authorized personnel only and in secure area • no third-party discussion unless conducted under signed agreement with U.S. citizen limitations

  36. Even more elements to consider….. • Export-controlled electronic communications and databases need to be secured. Such measures may include: • user ID, strong password, SSL or other approved encryption technology (TrueCrypt) • activate screensavers after 10 minutes • full disk encryption for laptops • Must include any project specific restrictions • PI must approve and all project members sign off

  37. Now that the TCP is in place… • Project personnel need to be trained or briefed prior to the start of the project • Update TCP Certification every semester – project personnel could change • Retrain project personnel at least once a year • Audit project to make sure TCP is being followed • Get IT folks to help audit electronic security measures

  38. Now that the project is over… • Security measures should remain in effect to protect export-controlled information unless earlier terminated when the information has been destroyed or determined to be no longer controlled.

  39. Export Compliance: Recordkeeping The devil is in the details!

  40. What’s required of us? • Federal Sentencing Guidelines: Effective Compliance and Ethics Program • In general, requires the “…exercise (of) due diligence to prevent and detect criminal conduct; and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” • United States Sentencing Commission, Guidelines Manual, §8B2.1(a) (Nov. 2006)

  41. What’s required of us? • The USSC’s 7 Step Program • Establish standards & procedures • Knowledgeable governing authority with reasonable oversight • Authority personnel does not include individuals engaged in illegal activities • Effective training programs • Monitoring, auditing, periodic evaluation, and a reporting system for employees & agents • Consistent enforcement • Respond to non-compliance w/ reasonable steps

  42. So where is recordkeeping? • The USSC’s 7 Step Program • Establish standards & procedures • Knowledgeable governing authority with reasonable oversight • Authority personnel does not include individuals engaged in illegal activities • Effective training programs • Monitoring, auditing, periodic evaluation, and a reporting system for employees & agents • Consistent enforcement • Respond to non-compliance w/ reasonable steps Everywhere!

  43. But, what is a record? National Archives & Records Administration 36 Code of Federal Regulations (CFR) 1220 • Section 1220.14 General Definitions: Records include all books, papers, maps, photographs, machine readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations or other activities of the Government or because of the informational value of the data in them (44 U.S.C. 3301).

  44. In Export Control-speak… • Export Administration Regulations (EAR) Part 762 • Recordkeeping • International Traffic in Arms Regulations (ITAR) Part 122 • Registration of Manufacturers and Exporters (122.5), with an additional clause at • Part 123.26 Recordkeeping requirement for exemptions • Documentation must be kept five years after the expiration of license

  45. EAR Part 762 • Scope • Transactions involving restrictive trade practices; exports/reexports; Canadian exports if involving non-U.S./Canadian persons with an interest; or any other transactions subject to the EAR • Records to be Retained • Memoranda; Notes; Correspondence; Contracts; Invitations to Bid; Books of Account; Financial Records; Restrictive Trade Practice or Boycott Documents/Reports, and Other records describing those transactions • Bottom Line: Anything about Anything!

  46. ITAR Part 122.5 • Maintenance of records by registrants • “…maintain records concerning the manufacture, acquisition and disposition (to include copies of all documentation on exports using exemptions and applications and licenses and their related documentation), of defense articles; of technical data; the provision of defense services; brokering activities; and information on political contributions, fees, or commissions furnished or obtained, as required by part 130 of this subchapter.” • Bottom Line: Anything about Anything!

  47. How should I keep records? • Lessons learned from case history: • Electronic systems are valid, but not required; operational needs can (and should!) be considered in this decision • Deleting electronic records is OK; as long as all the information is available elsewhere • Record management is KEY!

  48. Export Compliance: “When Stuff Happens” Voluntary Disclosures

  49. What should you do if think you have a violation? • Have a process • Document what the process is and who needs to be involved • Empowered Official • VPR • Legal Department • Dean or Department Head

  50. Stop the activity immediately!

More Related