Getting Started ~ For Managers
Every company that trades in products or technology that could have “strategic value” – whether specifically designed for military use or otherwise – needs to have an internal export control compliance program (an “ECCP”), even if it does not sell abroad. US and foreign export control law are complex and the penalties for violating them – even unknowingly – can be stiff.
Compliance programs – like companies – come in all shapes and sizes, depending on the range and complexity of their commercial activities. When it comes to assessing fines for violations, which can run to $250,000 per, regulators routinely view a company’s failure to have an effective ECCP as an aggravating factor.
Every effective ECCP is unique – tailored to the activities and needs of each company. But the steps for developing all ECCPs usually include:
• a risk audit;
• a product/technology classification analysis;
• a flow analysis;
• writing a compliance manual; and
• training an ECCP manager and all employees.

Step 1 ~ The Risk Audit
An export control risk audit reviews your company’s activities to identify the ways in which the company is at risk for violation of export control laws. For example, if your company:
• exports products to a sub in Country A that sells to customers in Country B, your sub may need re-export licenses to ship to Country B, even if your company does not need licenses to export to Country A;
• employs foreign nationals on H1-B visas, it may need “deemed export” licenses to disclose certain technologies to nationals of certain countries;
• manufactures abroad, it may need licenses to disclose its schematics and processes to its foreign partners.
Your risk audit is the basis for development of your ECCP – it identifies the potential violations that your ECCP will be designed to prevent.

Step 2 ~ The Classification Analysis
Certain products and technologies are “classified” by our government as requiring licenses for export or disclosure to foreigners. An export control classification analysis reviews your company’s products and related technologies to determine which, if any, require licenses for export, as well as the destinations for which export (or re-export) licenses may be needed. For example, if your company deals in:
• “defense” articles, technology or services that are identified on the United States Munitions List, you probably need licenses for the export thereof to all countries, including our closest allies;
• “dual use” items that are identified on the Commerce Control list, you may need licenses to export to all or only some countries
Your classification analysis generates a “matrix” which indicates, for handy reference, which of your company’s products, technologies and services require licenses to export to particular destinations.

Step 3 ~ The Flow Analysis
A flow analysis identifies the ways in which your company handles orders and technology, to identify the processing points at which decisions must be made as to whether a particular order:
• can be filled without a license;
• can be processed under a license your company has already obtained;
• cannot be filled until a license is obtained.
It also identifies the people who may need special training to ensure that their decisions are the right ones.

Step 4 ~ Writing A Compliance Manual
Based on your company’s risk audit and classification/flow analyses, a compliance manual is written. Compliance manuals typically include:
• a statement from upper management requiring every employee’s adherence to the procedures set forth in the manual;
• a classification matrix that puts all employees on notice as to which products, services and technologies require licenses for export to which countries;
• lists of embargoed countries, persons/entities and end-uses (irrespective of classification); and
• compliance responsibilities of particular job functions (from salesmen who must flag problematic orders, to HR personnel who must flag problematic hires, on up to the company’s compliance officer who must ultimately decide how to deal with problematic situations.
Your company’s compliance manual is the basis for training of all employees in compliance with export controls.

Step 5 – Training
Training is based on your company’s compliance manual and conducted on a “need to know” basis. For example:
• your company’s export control compliance officer – charged with implementing your ECCP and deciding whether export licenses are required – should get extensive training, including at seminars conducted by the government;
• your company’s HR director should be trained to flag hires that might give rise to deemed exports;
• your company’s IT director should be trained to ensure that internal information flows and internet marketing platforms are compliant; and
• all employees should be trained to recognize the “red flags” that trigger duties of further inquiry to avoid efforts by customers to circumvent our export control laws.