240 likes | 418 Views
U.S. Trade Controls:. September 24, 2008. Important Considerations for Canadian Technology Companies Before the Canadian Information Technology Law Association Jack A. Levy www.tradelawintl.com.
E N D
U.S. Trade Controls: September 24, 2008 Important Considerations for Canadian Technology Companies Before the Canadian Information Technology Law Association Jack A. Levy www.tradelawintl.com Note: This presentation is for general informational purposes and does not constitute legal advice.
Overview • U.S. Legal Landscape • Current Enforcement Environment • When Does U.S. Law Apply to Canadian Companies? • Overview of U.S. “Dual-Use” Controls • Terminology • Product Classification • Licensing and License Exceptions • Encryption Controls • Compliance Issues • Strategies for Addressing Potential Violations
Legal Landscape • U.S. trade controls are based on national security and/or foreign policy considerations and are implemented through three overlapping regulatory regimes: • OFAC: The Treasury Department’s Office of Foreign Assets Control administers U.S. sanctions. • BIS: The Commerce Department’s Bureau of Industry and Security administers controls on “dual-use” commercial exports. • DDTC: The State Department’s Directorate of Defense Trade Controls administers controls on defense exports. • All of these regimes have extraterritorial dimensions.
Current Enforcement Environment • U.S. trade controls are complex, vigorously enforced, and threaten severe penalties for each violation: • Civil Fines: Greater of $250,000 or twice value of transaction • Criminal Penalties: $1 million & up to 20 years in prison • Blacklisting:Denial of trading privileges; interference with ongoing business • Reputational damage, especially for publicly-traded companies • Surge in new enforcement actions since 9/11 • Increasing focus on non-US companies, resulting in landmark settlements (e.g., ABN Amro paid $80 million for Iranian sanctions violations; see also foreign affiliates of Compaq, IBM, Caterpillar, etc.)
Extraterritorial Emphasis of Enforcement Priorities • Whois usually targeted? • Foreign affiliates of U.S. corporations, wherever located • Canadian and European companies • What is usually the focus? • Transactions with terrorist-supporting countries (e.g., Iran, Cuba, North Korea, Sudan, Syria, Burma, and blacklisted entities) (including “approval/facilitation” of such transactions) • Exports to China • Releases of controlled technology/technical data, including “deemed exports”
When Does US Law Govern? • U.S. trade controls apply to US Persons as well as certain transfers involving US Content • “US Person” defined as: • US citizens (wherever located) • Permanent residents (wherever located) • US-incorporated companies and their foreign branches • Foreign subsidiaries of US-incorporated companies (but only for Cuba sanctions) • Transfers involving more than De Minimis amounts of US Content
When Does US Law Govern? • Most Canadian technology companies are not US Persons, and are not, therefore, automatically subject to all US trade control laws. • However, most Canadian technology companies are nonetheless subject to certain US trade control laws to the extent they deal in commercial goods/technology involving US content. • So What? • A decision to violate applicable US laws runs the risk of penalties and reputational damage if you get caught. • Failure to cooperate with US enforcement authorities could get your company blacklisted, which can be devastating for companies using US suppliers. • Poor compliance history can kill lucrative M&A deals with US partners.
“Dual-Use” Export Controls • EAR controls the export of US-origin, commercial “items” (i.e., goods, technology, technical data, and software) • For most Canadian companies, the EAR covers: • Items originating from the United States • Foreign-made items incorporating greater than de minimisamounts of US content • Foreign-made goods that are the direct product of US-origin technology
De Minimis Rules • De minimis threshold is 25 % for most destinations, but 10 % for sanctioned destinations (e.g., Cuba, Iran, North Korea, Sudan, Syria). • Calculation based on a ratio of US-origin cost to foreign product selling price. Need to compare: • Commodities to commodities • Software to software (including firmware) • Technology to technology • Certain foreign-made computers and encryption are ineligible for de minimis treatment. • There is a one-time prior reporting requirement for commingled US and foreign software and technology.
Export Control Terminology • Export: • Sending an item from US to foreign destination (or “Specially-Designated Nationals” of the foreign destination) • Can occur via mail, hand carry, electronic transmission, etc. • Re-export: • Sending an item from Canada to third-country destination (or SDN of the third-country destination) • Can occur entirely within Canada. • Deemed Export: • Release of controlled data to foreign national (who is not a US permanent resident) • Deemed Re-export: • Release of controlled data to non-Canadian national (who is not a US citizen or permanent resident) • Item Two • Sub Item • Sub • Item Three
When Do You Need a License? • You may need a license if: • The transaction is governed by US law; and • The transaction constitutes a re-export or deemed re-export • In order to assess licensing requirements, the first step is to classify the item. • Every item has either a specific Export Control Classification Number (ECCN), or else it is covered under “EAR-99.” • The ECCN is an alpha-numeric code that describes a particular item and shows the controls placed on it.
ECCN Classification • The Commerce Control List (CCL) is divided into ten broad categories: • 0 = Nuclear materials, facilities and equipment 1 = Materials, Chemicals, Microorganisms and Toxins2 = Materials Processing3 = Electronics4 = Computers5 = Telecommunications and Information Security6 = Sensors and Lasers7 = Navigation and Avionics8 = Marine9 = Propulsion Systems, Space Vehicles, Related Equipment • Each category is further subdivided into five product groups: A = Systems, Equipment and ComponentsB = Test, Inspection and Production EquipmentC = MaterialD = SoftwareE = Technology
ECCN Classification (cont.) • EXAMPLE: • Assume that you manufacture polygraph equipment in Canada incorporating more than de minimis US content. What would be your ECCN? Start by looking in the Commerce Control List under the category of electronics (Category 3) and product group which covers equipment (Product Group A): 3A981 Polygraphs(except biomedical recorders designed for use in medical facilities for monitoring biological and neurophysical responses); fingerprint analyzers, cameras and equipment, n.e.s.; automated fingerprint and identification retrieval systems, n.e.s.; psychological stress analysis equipment; electronic monitoring restraint devices; and specially designed parts and accessories, n.e.s. Reason for Control: CC Country Chart: CC Column 1 License Exceptions: N/A
Step 2: Where Are You Exporting? Under this example, a license is required for shipment to Honduras, but there is no license required (NLR) for Iceland.
Step 3: Check End-User and End-Use • Transfers to a blacklisted entity will violate end-user controls, even if the item is EAR-99 or the Country Chart indicates that no license is required. • Example: • Canadian company manufactures low-level (EAR-99) software for sale within Canada. If the software is sold to a blacklisted entity in Canada (e.g., a Specially Designated National of Cuba), then the company has committed a US export control violation. • Exports/re-exports for certain end-uses are prohibited if the company “knew” or had “reason to know” about the prohibited end-use -- proliferation of WMD (e.g., nuclear, biological, chemical), and the missiles to deliver them.
Practical Example • Can a Canadian company export EAR99 software for the first time to the UK without a license? (Assume the finished software contains only 0.9 percent US origin content.) • Yes, unless the end-use/end-user is restricted. • BUT only after filing a one-time report to BIS, which is necessary to rely on a de minimis exclusion for foreign-made software or technology commingled with US software or technology
License Exceptions • Depending upon the ECCN, certain license exceptions may be available if certain conditions are met. For example: • TMP: Temporary Exports/Re-exports • RPL: One-for-one replacement of parts • TSR: Technology and Software Under Restriction: Certain mid-level technology and software sent to Country Group B, provided that written assurances are obtained from consignee. • TSU: Technology and Software Unrestricted: Certain low-level technology and software, including operating technology and software, software updates (“bug fixes”), certain “mass market” software, and unrestricted encryption source code. • ENC: Encryption Commodities and Software: authorizes the export/re-export of encryption classified under ECCNs 5A002, 5D002, and 5E002, subject to certain conditions.
Special Encryption Rules • Encryption control regime consists of: • Up-front government review of new and revised encryption products (>5,000 per year) (40/40/20): • Mass market • ENC-Unrestricted • ENC-Restricted (only eligible for license free zone countries) • Back-end reporting (where applicable) • Licenses generally required for government customers • US unilaterally controls certain encryption items that are not covered under Wassenaar Arrangement(which starts with 56-bit symmetric, 512-bit assymmetric, and 112-bit ellyptical curve). • Note: Canadian re-exports of encryption treated same as US exports, effective Dec. 19, 2004.
Special Encryption Rules • “Mass Market” examples: • General purpose OS • Short-range wireless (i.e., access points) • PDAs and web phones • COTS software for PCs • Cable modems and home internet appliances • Personal firewalls and client software • Items unlikely to be “Mass Market”: • Items sold primarily through a sales rep • Items “used in” mass market products (e.g., chips, toolkits for hardware developers) • Enterprise products that are not scalable • Infrastructure products sold to ISPs and TSPs • Products containing an OCI or source code
Special Encryption Rules (cont.) • Examples of “ENC-Restricted” items that cannot be transferred to most destinations without a license: • Network infrastructure with >64-bit key length symmetric algorithms if: • Aggregate encrypted WAN, MAN, VPN, or backhaul throughput >44 Mbps (aggregate for wireless; single channel for wired, cable, or fiber-optic input data rate) • >359 Max. concurrent encrypted data tunnels or channels, or • Air interface coverage >1,000 meters, Max. data rate >5 Mbps, Max. concurrent full-duplex voice channels >30, or substantial support is required for use. • Proprietary cryptographic source code • Items with open cryptographic interface • Crypto items customized for government end-use, or that can easily be changed by the user (if not publicly available) • Cryptanalytic items (“code crackers”) • Providing quantum crypto functions, or customized for 4A003 computers
Common Pitfalls • Misclassification of products/technologies • Intra-company transfers to overseas office or affiliate • Deemed Exports: uncontrolled data access for foreign national employees/visitors (e.g., Indian engineer in Toronto) • Approval/facilitation by “US persons” in company or company group • M&A Scenarios: • If Canadian company is target, then due diligence can reveal poor compliance history, which can kill the deal or result in unwanted liability for sellers. • If Canadian company is acquiring a target, inadequate due diligence results in successor liability for the target’s past export control violations • CFIUS reviews can also trigger scrutiny of Canadian company’s track record for US export control compliance.
Elements of Effective Compliance • Statement of corporate policy and written procedures • Designation of responsible compliance officer • Classify company’s products/technology/services • Screen all relevant transactions • System for controlling foreign national employee and visitor access to controlled hardware and data. • Training and period audits • Export documentation and recordkeeping policies • Corrective action to address violations
Dealing with Potential Violations • Do not repeat! • Future knowing violations = criminal liability • Decide whether to make a voluntary disclosure • May be required if future license applications are needed in same area as past violation • Statute of limitations = 5 years • Voluntary disclosures provide substantial mitigation (>50%) • Disclosure of violations to shareholders may be required under applicable securities laws (e.g., SOX) • Assess probability of getting caught -- (is there a parallel Canadian disclosure?) • Assess likely consequences under self-disclosure scenario, and getting investigated, respectively. • Assess likelihood of M&A transaction in next 5 years