Академический Документы
Профессиональный Документы
Культура Документы
Records
CEUs
Support
Ryan Enos
ID 7857684
Introduction to Export
Compliance
University of Connecticut - Storrs & Regional Campuses - CITI Export
Controls Course
Introduction
Export controls are an ever-growing area of compliance for universities and research institutions
across the United States and around the world. Export control laws and regulations affect a
variety of activities, including many activities that take place physically within the U.S. and its
territories. The word "export" is often misapplied, misinterpreted, and/or misunderstood causing
many to ignore the restrictions to which they are subject, and that can result in costly
consequences.
This module provides a basic overview of export controls, helping to understand how to identify
when certain items and activities may be subject to these federal regulations that control the
export of goods and services. This understanding allows you to be proactive in ensuring that
compliance is achieved and maintained at all times. It is equally important to keep in mind that
export control is not just about moving product, it is also about services such as consulting,
training, speaking at conferences, and more. While this module will give you an awareness of
how export controls can affect your day-to-day activities, you should always consult with your
institution's export control office (ECO) before engaging in any activity that could be controlled
and allow that expert to help you maintain compliance.
However, there are other U.S. federal agencies, such as the Customs and Border Protection
(CBP), Department of Homeland Security (DHS), Food and Drug Administration (FDA),
Alcohol Tobacco and Firearms (ATF), Nuclear Regulatory Commission (NRC), and U.S.
Department of Energy (DoE), just to name a few, who also have jurisdiction over certain items
and/or activities subject to export controls.
Learning Objectives
Identify the differences between the three primary U.S. regulatory agencies.
Recognize when export controls may be applicable to various research activities.
Evaluate actions and processes needed when export controls may be involved.
Regulations
EAR can affect day-to-day activities within your institution, such as:
Department of State Regulations
DDTC is responsible for overseeing and enforcing the International Traffic in Arms Regulations
(ITAR). Items that are under the jurisdiction of the ITAR are categorized on the U.S. Munitions
List (USML). Products and services listed on the USML are designed for and/or directly applied
to military purposes. Items on the USML are categorized by a Roman numeral sequence, such as
XII(h), IV(j). There are 21 categories within the USML. Items that appear on the USML will
require obtaining an export license prior to exporting, releasing defense articles, or providing
defense services.
Items can be controlled under the EAR or ITAR, and not limited to tangible objects. It is also
possible for the same item to be controlled under both the EAR and ITAR, though there are
typically characteristics that distinguish which regulations the item is subject to. For items
potentially subject to both the EAR and ITAR, the ITAR takes precedence. When it is difficult to
determine with certainty where a product or service falls within the EAR or ITAR, your
institution's ECO will be able to submit a classification request.
ITAR can affect day-to-day activities within your institution, such as:
OFAC regulations can affect day-to-day activities within your institution, such as:
What is an export?
15 CFR 734.13 (EAR 2016) defines export as, "an actual shipment or transmission of items out
of the United States." It also includes releasing or transferring. Many often think that the term
“export” only covers an item in a box shipped physically overseas. While this is one example of
an export, there are many other ways in which something can be exported, such as: auditory,
visually, verbally, or electronically. These types of exports can occur in innocent ways such as
glancing at design specifications on someone's desk, emailing data or specifications to a foreign
collaborator, eavesdropping on a conversation, meetings or conferences with foreign persons in
attendance, sharing data on a shared drive, uploading files to the cloud, instruction, training, and
so on. If the item is exported (or released) to an unauthorized foreign person or foreign
destination, a violation against the Arms Export Control Act (AECA) (22 USC 2778) may have
occurred.
To minimize the potential for unauthorized exports, it is critical to take certain reasonable steps
to protect the items or the data from access by or disclosure to those who are unauthorized. These
steps may be as simple as covering the papers on your desk, encrypting files or emails, or
locking materials in a file cabinet. However, compliance requirements could go further by
securing the item in an access-controlled area and maintaining a log every time someone
accesses the area and/or any controlled items. The security measures that are to be taken is a
combination of common sense, directives that are given based on the classification of the item,
and/or the terms of an agreement for which you or your employer are parties to. These measures
may also be specific to the “National Industrial Security Program Operating
Manual (NISPOM)” or the “Nunn-Wolfowitz Task Force Report: Industry ‘Best Practices’
Regarding Export Compliance Programs.”
An export of technology or source code (except encryption source code) is "deemed" to take
place when it is released to a foreign person within the U.S. (15 CFR 734). Technology is
"released" for export when it is available to foreign persons for visual or other inspection (such
as reading technical specifications, plans, or blueprints); when technology is exchanged orally or
in writing; or when technology or software, through “access information” is made available (15
CFR 734).
The deemed export rule is of special concern to those who work with source code that is export-
controlled. Publicly available source code would not be export-controlled. However, let us say
for example that you are working on a facial recognition software program for the Federal
Bureau of Investigation (FBI). Even if the source code is publicly available, the project itself
may be restricted to foreign national participation due to reasons of national security. Although,
there are exceptions to the rule. The sharing of source code with foreign persons is permitted if
such persons are employees, contractors, or interns for the company. Unfortunately, this does not
include students. However, one might argue that a student, compensated for example with a
tuition stipend, would be considered an employee. In such situations, it is best to work with your
ECO and have them seek an advisory opinion from the appropriate U.S. government agency.
Note, however, that an advisory opinion in one case may not be the same for every case and thus
you will need to obtain authorization for each unique occurrence.
The deemed export rule can also be troublesome for institutions that hire foreign persons in the
areas of engineering, physics, chemistry, marine and atmospheric sciences, bio-informatics, and
nanotechnology, just to name a few, because these disciplines often require the use of export-
controlled technology. Even though these persons would be considered employees, a deemed
export license may still be required in order for them to have access to the technology they need
to perform their responsibilities. Your institution’s ECO is best at helping to determine when a
deemed export license may be required.
It is important to note that in 15 CFR 772 (EAR 2016) use is defined as "operation, installation
(including on-site installation), maintenance (checking), repair, overhaul and refurbishing."
Therefore, all six elements must be applicable to the situation unless an ECCN specifies one or
more of the six elements of use in the heading or control text; then only those elements specified
are applicable. Work with your institution’s ECO to determine the aptness of these elements for
any particular event.
This term is also used to describe any foreign entities, such as corporations, businesses,
associations, partnerships, trusts, societies, or other groups that are not incorporated or organized
to do business in the U.S. It may also apply to international organizations, foreign governments,
and any agency or subdivision of foreign governments (for example, diplomatic missions). Any
person, for example, a tourist, student, businessperson, scholar, teacher, technical expert, sailor,
airline personnel, salesperson, military personnel, or diplomat, that is in the U.S. and is a citizen
or permanent resident of another country other than the U.S., and does not fall into one of the
three categories noted above, is considered a foreign person. Individuals working for a foreign
company in a foreign country would assume the nationality of that foreign entity regardless of
citizenship or residence. For example, a former colleague, a U.S. citizen, takes employment with
Mercedes-Benz in Germany. The former colleague asks to have some engineering designs that
he did for the U.S. Air Force while at your institution sent to him. A transfer of technical data to
the former colleague would be considered an export to Germany.
Even when a foreign person is in the U.S., the individual may still be subject to export control
restrictions, regardless of their employment status or visa type. This is the deemed export rule as
discussed above.
Releasing U.S. export-controlled items to foreign nationals, regardless of their location, is still
subject to restrictions of such items and treated as if they were in their home country. Releasing
such items is “deemed” to have been exported to the country for which the individual or entity is
a national of. For example, an export from the United States to an Israeli national in the United
Kingdom is a physical export to the United Kingdom, and a deemed export to Israel.
Receiving a license is a privilege and also comes with great responsibility. The regulations at 15
CFR 750.7(d) of the EAR (2016) note “it is the licensee’s responsibility to communicate in
writing the specific license conditions to the parties to whom those conditions apply.” It also
notes it is the licensee’s responsibility to obtain writing acknowledgement of those conditions
from the party(ies) involved. Any changes to the purpose or even the parties identified in the
original application will require additional authorization from BIS.
All manufacturers, exporters, and brokers of defense articles, related to technical data and
defense services as defined on the USML (22 CFR 121 [ITAR 2016]) are required to register
with the DDTC. Registration is primarily a means to provide the U.S. government with
necessary information on who is involved in certain manufacturing, exporting, and brokering
activities. Registration does not confer any export rights or privileges but is a pre-condition for
the issuance of any ITAR license or other DDTC approval for export. The registration fee
adopted a three-tier structure in 2008 and modified it in 2013 to account for amendments to
ITAR (22 CFR 129). A university or research institution conducting research or working with
technology or technical data that is subject to the ITAR must register with DDTC. For example,
if a scientist is using an accelerometer with QRS-11 technology in oceanographic research, the
institution must first register with the DDTC. Once approved, the institution may then apply for a
license from DDTC.
Another way to identify the classification of items is to have the manufacturer or vendor provide
the classification at the time of quotation. If you notice the item has a USML classification, ask if
there is an EAR equivalent. Do not be surprised, however, if the EAR item initially costs more
than the ITAR item. Your justification for accepting this additional cost is that the cost of the
ITAR licenses that may be required, year after year, would ultimately result in an overall higher
cost for the item. This is not even going into the operational/administrative burdens of any access
or usage restrictions that an ITAR item may create for you, your project, and your institution.
Importing items, such as medical equipment, may also require certification from the FDA in
order to clear customs. Another example could be obtaining approval from the Animal and Plant
Health Inspection Service (APHIS) to import species of plants from India. Maybe you are
shipping water extracted from caves in Iran back to the U.S. for research in studying climate
change; it is important to make sure that you have the necessary approval from OFAC first. Do
not rely on the party shipping the item to you from overseas to know what certifications or
authorizations are needed to import the item into the U.S. As stated many times already, work
with your institution's ECO to ensure you have a smooth transaction.
BIS has posted three advisory opinions between 2009 and 2014 regarding the cloud, and in all
three instances they have stated very clearly that the user is 100 percent responsible for the
content that is uploaded onto these sites. If the CSP is hacked, they will not be liable for the
release of the export-controlled data; the account holder will. Therefore, it is the responsibility of
the user to ensure that the technology or technical data stored is not accessible by foreign persons
(such as the cloud provider's foreign IT administrators). Remember that no contractual
arrangement with a cloud provider, no matter how carefully drafted, will shift the burden of
export compliance to the provider. If you work with export-controlled information and need
electronic access to share or retrieve it, please work with your institution’s ECO to find an
appropriate solution.
Does the Fundamental Research Exclusion (FRE) help universities
avoid restrictions of export controls?
Issued in 1985, National Security Decision Directive (NSDD)-189 established a definition of
fundamental research, which has been incorporated into numerous regulations (in other words,
EAR and ITAR), internal compliance regimes, and guidance documents. Per 15 CFR 734.8
(EAR 2016), fundamental research means “research in science, engineering, or mathematics,
the results of which ordinarily are published and shared broadly within the scientific community,
and for which the researchers have not accepted restrictions for proprietary or national security
reasons.” The focus of this term is “the results of which ordinarily are published.” This refers to
the techniques used during the research are normally publicly available or are part of the
published information. The FRE is something that many universities and research institutions
strive to maintain. The role of the EAR is not to regulate fundamental research as such; it is to
regulate the transfer of technology and software. Research may give rise to export control issues
if:
While research results developed or generated under the FRE are exempt from export controls
and can be freely shared with foreign persons both in the U.S. and abroad, any materials, items,
technology, technical data, or software developed or provided for conducting the research may
not be exempt.
One condition that typically negates the FRE by researchers is research that constitutes
development. 15 CFR 772 (EAR 2016) defines development as being "related to all states prior
to serial production, such as: design, design research, design analyses, design concepts, assembly
and testing of prototypes, pilot production schemes, design data, process of transforming design
data into a product, configuration design, integration design, layouts." A few examples of where
research can easily step into "development" and therefore negate the FRE are:
Consult with your institution’s ECO for guidance with applying the FRE to any research project.
Do export controls affect dual use research of concern (DURC)?
Yes, they can. DURC is a policy that was released in 2012 as a result of fundamental research
that developed into something that could potentially be turned into a biological weapon. Though
the research was funded by the National Institutes of Health (NIH) and had no publication
restrictions, the governments of the countries for which the scientists were from stepped in to
evaluate whether such research should be made publicly available. After several months of
reviewing, one of the governments said it is okay to publish but the other still restricted it and
required an export license to be obtained in order to share the data. The full story can be
reviewed here.
The U.S. Government Policy for Oversight of Life Sciences Dual Use Research of Concern was
released in March 2012. On 24 September 2014, the U.S. government released the U.S.
Government Policy for Institutional Oversight of Life Sciences Dual Use Research of Concern.
These two policies are complementary and emphasize a culture of responsibility by reminding all
involved parties of the shared duty to uphold the integrity of science and prevent its misuse.
The scopes of the policies are limited to a well-defined subset of life sciences research that
involves 15 agents and toxins and seven categories of experiments. If research activities using
any of these agents or the toxins go above the minimum allowable amounts, you will need to
work with your institution's ECO to obtain an export license to work with the materials. This is
above the other requirements for working with hazardous materials.
Life sciences researchers should be familiar with DURC and speak with their institution's
biosafety officer and ECO.
If your travel takes you to destinations such as Vietnam, Tunisia, South Korea, Poland, Morocco,
Israel, or Egypt you may be required to obtain approval to import certain technology from that
country's government prior to arriving. While the countries listed here is not inclusive, all
travelers should verify with their institution's ECO as to any restrictions with exporting, as well
as importing, the encryption technology on their institution-owned or personally-owned devices
that are used for business purposes for their proposed destinations. Obtaining approval to export
from the U.S. government can be a lengthy process, as can the process for obtaining
authorization to import restricted items from a foreign government agency. When time is of the
essence, travelers should consider a loaner laptop from their institution that is free of encryption
technology. Speak with your institution’s ECO about this option for travel.
When traveling, if you access your cloud-account you have exported the information into the
country where you are at the time. If any of that information is export-controlled, a violation may
have occurred. This holds true even if you are a U.S. citizen and you uploaded the information
while in the U.S. and you are accessing your account from your institution-owned laptop or
personally-owned tablet. It is advised not to access any information from a cloud account during
international travel unless you are 100 percent certain the information is not export-controlled or
considered proprietary.
While this section focused mostly on laptops, other items that are used as a tool-of-trade may
also be affected. For example, a geologist whose luggage includes a GPS device that is used for
their field research in Venezuela may need to obtain an export license for the GPS before
traveling; or, a neurosurgeon who will be demonstrating using a Gamma Knife may also require
a license to give such instruction at a conference in Cuba.
Speaking of Cuba, since the 17 December 2014 announcement by President Obama of re-
establishing diplomatic relations with Cuba, there have been numerous amendments to the
Cuban Assets Control Regulations (CACR). These changes include greater flexibility in financial
transactions and the ability to book flights directly with commercial airlines. Despite these
improved conditions, Cuba remains an embargoed country under U.S. laws. As such, under 31
CFR 515 (Cuban Assets Control Regulations 2016), activities are still limited to 12 specific
categories. Tourism is still prohibited. Therefore, while traveling to Cuba under an authorized
category, the schedule is prohibited from engaging in tourism activities. More changes in the
CACR are likely, so it is important to work with your institution's ECO to stay apprised of the
changes that will affect university business transactions concerning Cuba.
Prohibited Parties
Many federal agencies publish lists that contain names of individuals and entities prohibited
from certain activities. The lists are referred to in various ways:
If a party to your transaction matches a party name on any of these lists, you are required to do
your due diligence to ensure full compliance with all the terms and conditions of the restrictions
placed on the parties on the list. Engaging in a transaction with prohibited parties could result in
a violation for you and your institution. Parties on these lists are not just foreign nationals; they
can also be U.S. persons.
Some lists, such as those from the NRC, will list individuals and entities but it may not mean that
you cannot engage in business activities with them. You must read the citation in order to
determine the restrictions. There are instances where the party appears on a list because the
citation is a matter of public record, but not because they have been restricted or otherwise
denied privileges.
Some of the lists published by the U.S. Department of State, U.S. Department of Commerce, and
the U.S. Department of Treasury have been consolidated into one spreadsheet as an aide to
industry in conducting electronic screenings of potential parties to regulated transactions. This
consolidated screening list can be found here. These lists that have been consolidated are the
minimum of what should be checked. If your institution does human subject testing or provides
medical care, you will also be required to check certain lists from the Office of Inspector General
(OIG), the FDA, and certain state lists that are not included in the consolidated list noted above.
Additionally, some foreign sponsors may require you check restricted party lists that are
produced by their government agencies (for instance, Canada and the United Kingdom).
There are service providers of restricted party screening software who can provide a consolidated
resource for all available lists. Some providers have over 230 lists worldwide that their system
checks in a matter of seconds. Such services can be integrated to your institution's network,
which in turn builds a more robust screening process to the compliance program. Speak with
your institution's ECO for assistance with screening for prohibited and restricted parties.
Penalties
Violations of the Export Administration Act of 1979 - as amended (EAA), 50 USC app. 2401-
2420 (2013), and the EAR, may be subject to both criminal and administrative penalties. When
the EAA is in effect, criminal penalties can reach 20 years imprisonment and $1,000,000 USD
per violation. Administrative monetary penalties can reach $11,000 USD per violation, and
$120,000 USD per violation in cases involving items controlled for national security reasons.
When the EAA is in lapse, the criminal and administrative penalties are set forth in the
International Emergency Economic Powers Act (IEEPA). The EAA has been in lapse since 21
August 2001, and President Bush, through Executive Order 13222 on 17 August 2001 (which
has been extended by successive Presidential Notices), has continued the EAR under the IEEPA.
The IEEPA of 2007 significantly increased penalties for export violations, including deemed
export violations. The penalty increase applies to almost all economic sanctions programs
administered by OFAC, and the anti-boycott and export control rules in the EAR. Under the
IEEPA:
Section 11A(h) of the EAA (2013) provides that, at the discretion of the Secretary of Commerce,
no person convicted of a violation of the EAA, IEEPA, or Section 38 of the AECA (2014) (or
any regulation, license, or order issued under any of these laws), or one of several espionage-
related statutes will be eligible to apply for or use any export license issued under the EAA for
up to ten years from the date of the conviction. In addition, Section 11A(h) provides that the
Secretary of Commerce may revoke any export license that the party had at the time of the
conviction.
Under the ITAR, violations and penalties are defined in 22 CFR 127 (ITAR 2016):
Any person who willfully: (a) violates any provision of section 38 or section 39 of the Arms
Export Control Act (22 U.S.C. 2778 and 2779), or any undertaking specifically required by part
12 of this subchapter; or (b) in a registration, license application or report required by section 38
or section 39 of the Arms Export Control Act (22 U.S.C. 2278 and 2279) or by any rule or
regulation issued under either section, makes any untrue statement of a material fact or omits a
material fact required to be stated therein or necessary to make the statements therein not
misleading, shall, upon conviction, be subject to a fine or imprisonment, or both, as prescribed
by 22 USC 2778(c).
Case Law
USA v. John Reece Roth, 6th Circuit, No. 09-5808, Jan. 5, 2011
The court held that in order to prove a willful violation of the ECA, the
government only needs to prove the defendant acted with knowledge that
his conduct was unlawful; not the specific items that were on the USML.
Recordkeeping
The records and recordkeeping requirements for OFAC (31 CFR 501), ITAR (22 CFR 123), and
EAR (15 CFR 762) allow for the destruction of records after five years. If your institution
governs records be retained for a longer period of time, then the greater time period would be
applied. Exceptions would be documents that were requested by the governing agency and
records related to a voluntary self-disclosure, which would require written approval from the
governing agency. However, there are instances when retention of records may require extended
periods due to the nature of the transaction or product. For example, an institution procures an
inertial navigational unit (INU) for their research vessel from a supplier in Canada. The life
expectancy of the INU is ten years. If the INU needs to be returned to Canada for repair,
paperwork showing the legal procurement of the item may need to be provided to U.S. Customs
and Border Protection for the export to Canada, as well as for import back to the U.S. once the
item has been repaired.
Summary
Today's global regulatory and fast-paced business environments transcend geographical and
institutional borders and present new compliance challenges. Export control laws and regulations
around the globe are constantly in flux, and as conditions in other countries change so too can the
conditions in which business is conducted in those areas. Thus, what was true today may not
necessarily be true tomorrow. Compliance with export control laws and regulations is not an
option; it is mandatory and can pose serious consequences for all individuals involved as well as
the institution they represent. A "knowing and willing" condition is not the only way a violation
can be weighed and thus it is essential to work with your institution's export control officer or
other responsible delegate to ensure that compliance is achieved.