One billion dollars: That was the fine ZTE agreed to pay in 2018 in order to lift a denial order issued by the United States government in response to export control violations. Similarly, Huawei’s CFO was indicted in December 2018 for alleged export control violations with respect to Iran. As these cases indicate, penalties for violating export control regulations can be high and include criminal charges.

Further, as discussed in my previous article “6 Things Any Entrepreneur Should Know About Export Controls,” U.S. export control law affects a broader group of companies than many people realize. Thus, it can be vitally important to have an export control compliance program. This article seeks to identify key elements to such a program.

1. An Export Control Policy

It should be apparent that the most important part of an export control program is having a policy in the first place. If a company employs foreign nationals, if a company exchanges technical information or data with overseas divisions or companies, or engages in manufacturing overseas based on designs created in the U.S., export control law may affect their business. In order to plan for and  address issues related to export control, it is critical to have an export control policy set for company procedures for complying with export control laws and responding to any inquiries from the government.

The policy should be in writing and be available to all employees should there be any question. Additionally, the policy should include a statement from senior management indicating the company recognizes the importance of U.S. export control laws and is committed to complying with all requirements. The plan should also address at least the following recommendations:

2. A Designated Export Control Officer Or Team

In order to effectively implement an export control policy, it is important to have one or more staff members designated as being the point person for export control policy for interfacing with staff. This officer or team may work with external consultants, attorneys or experts to analyze export control risks and respond to inquiries from the government.

Further, the team should include at least one U.S. citizen or U.S. green card holder. This is due to any discussion or review of technical information by a foreign national present in the U.S. on a visa being deemed as an export of the technical information to the foreign national’s home country. Thus, a U.S. citizen or U.S. green card may need to review technical information to determine whether it can be discussed with a foreign national present in the U.S. before the foreign national reviews the technical information in order to avoid prohibited exports. If a foreign national conducts the initial review, the export occurs prior to any determination whether export is permissible.

3. Classification of All R&D Projects To Identify Which Projects Present Export Control Risks

In order to address the export control laws and identify any risks, it is important to first identify which research activities implicate the greatest export controls and are thus most restrictive and which technologies do not present significant risks because they are less restricted or not restricted. In order identify the research activities with the greatest risk, it’s important to assess and classify all R&D projects at as early a stage as is feasible to identify what levels of internal controls need to be put in place.

As discussed above, the individual that is performing classifications and assessments should be a U.S. citizen or U.S. green card holder because accessing technology in order to perform a classification can be an export and thus should not be done by a foreign national (e.g. an individual in the U.S. on a visa).

Further, the person or persons performing the classification should have training on classification best practices and should also have a technical understanding of the technology being classified in order to determine which classification applies based on the technical parameters set forth in the control commerce list (CCL).

Additionally, classification of the R&D projects should be reviewed and updated on a regular basis (e.g. annually, semi-annually, etc.) to determine if the guidelines (CCL) has changed or the technology has shifted toward either more restricted or less restricted technology.

As discussed below, all staff should be trained to communicate with your export control officer or team to inform of significant project changes, new projects, or terminated projects. All of the classifications should be collected and stored in accordance with company record-keeping procedures.

4. Review of Existing Employees, New Hires, And Contractors For Export Control Risks

Once all R&D projects have been classified, it is necessary to classify or assess any export control risks presented by deemed exports (e.g., export of technical information or data to a foreign national physically located in the United States through training or employment). This employee risk assessment can be done by reviewing the classifications for each project with which an employee, contractor or visitor is expected or reasonably likely to encounter.

If, based on the classifications of the projects, a particular technology would be restricted for export to an employee’s home country, allowing or facilitating access by that employee to that project would be a prohibited export under U.S. law. In order to mitigate this risk, it is necessary to obtain a deemed export license for the employee to be able to access the technology.

This employee risk assessment does not be done for all employees but must be done for all employees who is neither a U.S. citizen or a U.S. green card holder (e.g., assessment should be done for all employees or contractors present in the U.S. on a visa).*

Further, records should be maintained for each project which a foreign national employee is expected to access and whether or not a license is required. Any required licenses should be applied for at the earliest possible time as it can take several months or half a year to obtain the relevant licenses.

5. Record-Keeping Policies

Another part of an effective export control policy is to have and follow enumerated record-keeping policies. The records to be retained include documentation of company project classification procedure, and documentation of company employee export control risk assessment procedures. Additionally, records of the actual classifications that have been determined for the projects and a rationale for the classification should also be maintained. The rationale does not need to be lengthy but should provide an assessment of what the determined classification is, other alternative classifications that were considered to have possibly been relevant, and an explanation as to why they were eliminated.

Regarding the employee risk assessment, records should be maintained of each employee, their home country or  country of citizenship, a brief job description and/or description of duties expected to be performed with reference to technical information that is likely to be accessed, and the relevant classifications of the projects that they are to be accessing. The company should have a general document retention policy in place and the retention policies should be followed for all export control related documentation.

6. Export Control Training Program To All Employees

All employees should receive initial export control training as well as follow-up or renewed training to update them on any procedural changes as well as any changes in governmental rules on a regular basis. The updated training should be provided on regular basis and should be tailored to the employee’s expected job duties and role within the company. Further, managers who oversee other employees or assess technologies or participate in the hiring of new employees may receive a second level of training specific to their expected job duties.  Additionally, other general employees may receive a third more general form of employee training again tailored to their expected job duties.

The training materials should be retained as part of the document retention policy as well as attendance logs and records of dates and times the training sessions were held should be maintained.

7. Procedures For When A Problem Occurs

While an export control plan or policy may reduce or prevent possible violations from occurring, it is possible that violations or problems may still occur. Therefore it is important that an export control policy have steps or procedures that are to be taken in the event of a violation being detected and that those procedures and policies be recorded and any violations or problems that occur be maintained in the records and reported as appropriate.

These procedures should outline a system or mechanism that allows and even encourages all employees to report any export control violation to the proper internal officer or team without fear of reprisal.  Additionally, the policy may specify remedial action to be taken against any employee who intentional violates the export control policy or obfuscates any know violation.  It is important that the policy strive to create a culture of openness and compliance with the export control regulations.

8. Audits

Finally, an export control policy should include regular audits to ensure that the company’s policies and procedures are both in accordance with government recommended guidelines and are being followed by the all staff. In some circumstances, the Audits may be performed by internal employees or external auditors may be used with the audit being performed at the instruction and specification of internal employees. The results of the audit should be maintained in writing in accordance with the document retention policy and should be communicated to all affected staff.  Further, the Audits should be performed on a regular basis based on the sensitivity of the involved technology and existing government recommendations.

Even though export control regulation may seem to present a great burden, through effectively crafting a customized export control plan for your company, the burden can be minimized and compliance with the US laws may be facilitated in an effective manner.

* Assessment is also not required for individuals who are holders of refugee status, asylum status, or other special protection statuses granted under Section 1324b(a)(3) of the Immigration and Naturalization Act (8 U.S.C. 1324b(a)(3))