330 likes | 341 Views
This guide explores the importance of export control compliance for universities and research institutions due to heightened national security concerns. It discusses the need for a compliance program and outlines key elements such as regulations, triggers, and core compliance components.
E N D
Why Has Export Control Compliance Become So Critical? • The State, Defense and Commerce Departments are paying close attention to export compliance within the university research environment: • Result of heightened national security concerns around access to sensitive technology, at a time when international exposure and collaboration is increasing. • Of concern are transfers of or access to controlled equipment and technologies here and abroad, particularly where the institution’s activities fall outside the coverage of the Fundamental Research Exclusion (FRE) or related exclusions (see below). • Universities and research institutions are obligated to comply with all relevant export control regulations: • Export Administration Regulations (EAR) • International Traffic in Arms Regulations (ITAR) • Office of Foreign Assets Control (OFAC) regulations. • Recent government enforcement activity has resulted in a number of audit findings with civil liability consequences, including monetary penalties, as well as criminal prosecution: individual and institutional liability.
What Triggers the Need for a Compliance Program? Sponsored Research • Where publication or other restrictions have been accepted, or NDA terms expanded so as to constitute restrictions, export controls may apply. • Even though some research activity may qualify for the FRE, jointly shared laboratory equipment or technology that falls outside of FRE parameters may be governed by dual use export control regulations. • While the FRE applies to research activity (including access to hardware) being used in the U.S., it may not apply to activity conducted abroad, and does not apply to equipment being exported abroad. • The institution is required to understand whether its equipment and/or technology are subject to dual use destination controls or ITAR controls. • Note: ITAR- governed projects and technology will likely require a Technology Control Plan (TCP), even though the activity is being conducted on campus in the U.S. • OFAC regulations apply regardless of the type of technology involved, and address the nature of services and transactions with economic embargoed/sanctioned countries and their foreign nationals.
Faculty-Sponsored Research • Where a faculty member is using internal funding to pursue research, and Office of Sponsored Research does not have the same degree of visibility into the research parameters or consulting relationships deriving from the faculty member’s work as it would otherwise have. • The FRE and related exclusions may or may not apply and, as in the case of sponsored research, specific controls may be applicable. International Campuses and Collaborations • Depending on the scope and sensitivity of the activity (curriculum vs. research) the FRE may or may not apply. • Export controls driven from the U.S. campus (including a TCP) may require extension overseas, as certain foreign national access to technology and exposure to embargoed services/transactions becomes a more likely possibility. Distance Learning • When offering on-line curriculum and academic relationships remotely, properly monitoring and flagging registrations from embargoed countries is necessary • Institution and individual must avoid participating in other activities (fiscal and non-fiscal) interpreted by OFAC as providing a prohibited service or value.
Core Elements of a Compliance Program Export Management System A documented set of policies, procedures, desk-top instructions and checklists (distributed and/or posted to website) that address all necessary elements of compliance including, but not limited to the following: • Policy statement reflecting commitment to export control • Overview of Regulations: EAR, ITAR, OFAC • Responsible Parties/Empowered Officials - ITAR • Proper Use of • Fundamental Research Exclusion – EAR • Public Availability Exclusion – EAR • Public Domain Exclusion – ITAR • Educational Information Exclusion EAR/ITAR • Employment Exclusion - ITAR • Nondisclosure Agreements EAR/ITAR • Prohibited party/entity screening EAR/ITAR • Jurisdiction determination – ITAR • Defense Services – ITAR • Classification for dual use destination controls - EAR
Core Elements of a Compliance Program continued… • Deemed Exports to controlled foreign nationals – EAR/ITAR • Licensing/export authorizations and exemptions – EAR/ITAR • Technical Data Transfer – EAR/ITAR • Procurement – EAR/ITAR • Collaborations: research institutions/corporations – EAR/ITAR • International • Domestic • Technology Control Plan (IT access, physical security, visitor, travel, courier, hand-carried) – EAR/ITAR • Re-exports and retransfers- EAR/ITAR • Shipping hardware/AES compliance – EAR/ITAR • Encryption management – EAR/ITAR • Timely problem notification – EAR/ITAR • Internal audit – EAR/ITAR • Training – EAR/ITAR • OFAC prohibitions.
Export Management Infrastructure • Office or Director of Sponsored Research or Programs may not have sufficient visibility. • Requires a broader cooperative effort among numerous offices and departments throughout the university: Counsel, IT, Admissions, IP or Material Transfer, Academic Deans, PI’s, Research Directors, Distance Learning, Procurement, International Programs • Network of “Export Control Coordinators (ECC)” or “facilitators” is critical: • Embedded in the academic and research environment, and trained to identify export control issues and either field them (preliminarily or for resolution) or make sure the issues are routed to the lead export control professional. • Compliance payoff: research administrators, PI’s, departmental directors – anyone confronting a potential export control issue - will likely perceive the export compliance program as a passport or enabler toward timely moving the process forward, rather than an impeding factor or unnecessary hindrance to be ignored.
Key Questions to Help Identify Issues • Have export control priorities been identified and, if so, addressed? • Is institutional leadership sufficiently aware of the compliance obligation and enforcement penalties; if so, are there sufficient tools and resources to meet the compliance obligation? • Does Sponsored Research have sufficient visibility into research and academic activities such that export controls issues are proactively managed? • Where control procedures exist, are they comprehensive enough to address the proper use and maintenance of the FRE, related exclusions and/or specific export controls? • Where there is an overseas campus or collaboration, does the control program protect the university’s activities abroad?
Choosing the Right Compliance-Building Tool The key is to develop a program that is: • priority-driven • proportionate to the needs of faculty and administrators • accomplishable within a reasonable period of time • transparent to its users • cost effective
Export Risk AssessmentIdentifying compliance priorities: areas likely to present the most serious and immediate exposure. • A high-level export risk assessment and resulting report enables the export control administrator to: • Methodically evaluate key points of exposure throughout the university • Understand who potential process owners might be for remedial purposes • Understand how data necessary for compliance is best collected through IT and manual solutions • Develop the level of procedural safeguards appropriate to the circumstances
Development of Export Management Systems (EMS) and Technology Control Plans (TCP) • Once compliance priorities are identified, it becomes easier to develop the necessary processes and procedures to address controls, through a well-documented and transparent EMS and/or TCP. • EMS: broad coverage over all aspects of an export program including proper use of the FRE and related exclusions • TCP narrow or broad as necessary: might apply only to one particular program (addressing data segregation, identity management for access purposes, file back up and storage, etc); or, cover a significant number of projects or programs governed under ITAR or the EAR.
Extension of Export Controls Internationally • Assess how your existing export control program can be leveraged and extended to protect curriculum and research activity abroad. • Develop a global Technology Control Plan that addresses a particular off shore project or collaboration, but that is flexible enough to extend to other locations and programs with minor adjustment as needed. • Because international expansion also triggers Intellectual Property (IP) and “permanent establishment” income tax concerns, ensure that the means and objectives of the export program are consistent with IP and tax objectives as well.
Development of Export Control Coordinators (ECC) and supportive infrastructure • Develop a cadre of trained, accessible internal coordinators to provide export control guidance to their respective departments and data collection to the lead export control function. • Key Selection criteria: • Available and willing • Sufficiently objective about compliance responsibility • Technically connected enough to the academic or research area so as to support practical solutions.
Leadership Briefings and Departmental Trainings Securing the commitment of institutional leadership is critical by providing a cogent, high level briefing on potential exposure and enforcement penalties. • Focus on what export control issues and procedures are particularly relevant; how to manage compliance proactively; and internal resources. • Train. Train. Train!
Export Control Help Desk – Compliance with all EAR, ITAR, and OFAC regulations • FRE and related exclusion analysis, one-off or multiple ECCN classifications, encryption notification and review, screening tools, commodity jurisdictions, license applications/reviews, guidance on OFAC, shipping questions, voluntary disclosures, internal audit templates, IT-related aspects of control plans, Intellectual Property transfers and control implications, and procedural support. Contact: Fischer & Associates Dfischer56@aol.com415-987-4039
Export Controls – Enforcement Against Universities and UC Compliance Responses UC Compliance and Audit Symposium February 3, 2009
Prior Export Criminal Enforcement Against University Professor • Thomas Butler • chief of Infectious Disease Division at Texas Tech’s Department of Internal Medicine • Select Agent violations, accounting fraud • One count for transfer of plague sample to Tanzania
J. Reece Roth • Professor Emeritus of U. of Tennessee, Knoxville • 18-count indictment for technology transfer to foreign nationals
UT Not Indicted • UT was “victimized by the conspirators” and cooperated throughout with the FBI • UT’s Code of Conduct specifically prohibited employee activities that violated federal securities laws • UT policies required employees to report violations of state or federal laws. • UT policies required employees to • Understand any export control requirements that related to employee’s work • Ensure that no exports were made contrary to requirements
Conspiracy Charge • AGT subcontracted to Roth • Roth employed foreign grad students, including China and Iran • Roth and AGT falsely stated to AFRL that no foreign nationals would be used • Roth directed foreign nationals to work on the project • AGT assigned PRC national to work on project in task order to Roth • Roth sent letter to PRC national asking him to work on project
Export Violations • AGT exported restricted technical data to foreign national • Final report • Progress reports • Roth exported restricted technical data in travel to PRC and delivery of 30-pp DARPA proposal containing plasma actuator technology for specific USAF aviation munitions project • Roth directed PRC student to transmit data to PRC contact • Roth allowed access to restricted equipment and data to Iranian student
Trial • Roth: • Didn’t believe he had broken the law • Research hadn’t produced anything tangible • Received only $6,000 from contract • US: • Roth knew information was restricted • Initially kept restricted information with U.S. student but eventually shared with foreign nationals
Conviction • Guilty on all 18 counts • Jurors deliberated 6 hours • Roth faces 160 years and $1.5M in fines • Verdict “should serve as a warning to anyone who knowingly discloses restricted U.S. military data to foreign nationals.” – Patrick Rowan, Acting Asst. AG for National Security
UC Export Control Compliance Plan • Use of Fundamental Research Exclusion • Basic Do’s and Don’ts
National Security Decision Directive 189 • To the maximum extent possible, the products of fundamental research should remain unrestricted. • Where the national security requires control, the mechanism for control of information generated during Federally-funded fundamental research in science, technology, and engineering at colleges, universities, and laboratories is classification. • No restriction may be placed upon the conduct or reporting of Federally-funded fundamental research that has not received national security classification, except as provided in applicable U.S. statutes. • President Bush’s National Security Advisor, Condoleezza Rice, reaffirmed NSDD-189 in November 2001.
UC Policy on Publication • “It is a long-standing University policy that freedom to publish or disseminate results is a major criterion of the appropriateness of a sponsored project, and particularly of a research project.” - UC Contract and Grant Manual section 1-410
UC Policy on Citizenship Restrictions • “. . . it is contrary to University policy to accept provisions in sponsored projects or gifts which require discrimination in employment, including discrimination based on citizenship.” -- Council of Chancellors, June 17, 1988
What is ‘Fundamental Research’? • The export regulations, both EAR & ITAR, define fundamental research as: • Basic and applied research in science and engineering conducted at US universities, the results of which ordinarily are published and shared broadly within the scientific community. • See Supplement No. 1 to Part 734 for extensive explanatory questions and answer regarding what is not subject to the EAR in the context of university and research laboratory activities.
What is Not Fundamental Research? • Given this definition of fundamental research, university research will not qualify as fundamental research if • The university or research institution accepts any restrictions on the publication of the information resulting from the research, other than limited prepublication reviews by research sponsors to prevent inadvertent divulging of proprietary information provided to the research by the sponsor or to ensure that publication will not compromise patent rights of the sponsor; or • The research is Federally-funded and specific access and dissemination controls regarding the resulting information have been accepted by the university or researcher.
Do’s and Don’ts – Shipping • Do NOT ship any item outside the U.S. without first checking the ITAR and EAR lists to determine if the item is controlled. • Secure license approval or verify license exception PRIOR to shipment for all controlled items.
Do’s and Don’ts – Restricted Information • Do NOT enter into secrecy agreements or otherwise agree to withhold results in project conducted at the University or that involve University facilities, students or staff. • Do NOT accept proprietary information from another that is marked “Export Controlled”. Review any Confidentiality/ Non-Disclosure Agreements to insure that UC and you are not assuming the burden of restricting dissemination based on citizenship status or securing licenses.
Do’s and Don’ts – CitizenshipRestrictions • Do NOT provide citizenship, nationality, or visa status information for project staff to others or include such information in proposals. • Do NOT agree to background checks or other arrangements where the external sponsor screens, clears, or otherwise approves project staff. • Do NOT attend meetings where foreign nationals are prohibited from attending. Do not sign the DD2345, Militarily Critical Technical Data Agreement, as a condition of attending a conference or receiving materials from the government.
Do’s and Don’ts - Travel • Do NOT travel to Cuba, Iran, North Korea, Sudan, or Syria for research or educational activities without first contacting the campus Office of Research to secure a license from the Office of Foreign Assets Control. • Do review equipment that you will be taking with you against export controls. A license may be required.