ITAR compliance: ignorance is no excuse
Navigating the labyrinth of export compliance is difficult for many companies regardless of their size.
Navigating the labyrinth of export compliance is difficult for many companies regardless of their size. Those who fail to be vigilant may face hefty fines and criminal charges as well as see their businesses fail.
By John McHale
Designing a product for the military today is much more than just meeting a request for quotes or testing products to make sure they meet stringent military environmental and performance standards.
Once designed, the integrated circuit, single-board computer, avionics system, missile, or unmanned aircraft must be properly licensed by the U.S. State Department under the International Trafficking in Arms Regulations (ITAR) and other export compliance standards.
Complying to these regulations is just as complicated and detailed a task for compliance officers and attorneys as designing fire control system components is for defense electronics engineers. Failure is not an option for either task, but in the case of ITAR compliance it could result in multimillion dollar fines and even jail time for individuals who knowingly violate the law.
ITAR, which has been in place since 1976, was put in place for U.S. national security and other foreign policy objectives; therefore, the government can impose criminal and civil penalties, points out Kay Georgi, an export attorney and partner at the Arent Fox law firm in Washington. The government, in fact, has been known to prosecute individuals for willfully violating the ITAR or the Export Administration Regulations, she says, yet “even an innocent mistake can be the basis for very substantial civil fines and penalties.”
Penalties and enforcement
Civil and criminal penalties have grown since the terrorist attacks of Sept. 11, 2001, but that is due less to the volatile conflicts around the world and more to the fact that the U.S. Government has hired more enforcement personnel, Georgi notes. “Better coordinated enforcement between agencies and with the U.S. Department of Justice made export enforcement a priority,” she continues.
This is only going to become more problematic today as commercial companies, finding their own markets tanking, try to break into the defense business. The defense industry is one of the few bright spots in this economy and already designers of commercial technology are looking for ways to attract military system integrators to their products.
“Export enforcement law and regulations are very complex,” says John Hanson, director of Huron Consulting Group in Chicago and a former federal agent. “The problem in this area is further exacerbated by enforcement trends which only point to a large increase in civil and criminal actions for the next few years.
“For example, a task force was formed in the latter part of 2007 that has been educating federal prosecutors and agents regarding making cases in this area,” Hanson continues. “Prior to this, there were not many prosecutors taking these cases and very few agents focused on it, at least in the Department of Justice. As this education spreads throughout the 93 U.S. Attorney’s offices and their corresponding investigative agencies, we will see much more scrutiny and many more cases.
“Add to this that the penalties for violations in this area were significantly increased, to as much as $250,000 per violation in some instances, and the pain becomes unbearable for many small and large companies alike,” Hanson adds. Companies are also being required to self-report violations or their problem is compounded, he notes.
As with any type of law, how the regulations are enforced or interpreted depends on the person interpreting the laws, Georgi says. This is often the case in commodity jurisdiction issues, she continues. Which agency–State, Commerce, etc.–has jurisdiction depends on who is being asked at the time, Georgi explains.
The key here is to make sure complete and correct information is provided when doing a commodity jurisdiction request, otherwise it could get placed in the wrong jurisdiction and the fault will be with the company not the government, Georgi says. “It’s a case of garbage, in garbage out,” she adds.
The laws and regulations do evolve and companies must keep abreast of these changes, Georgi says. The State Department will update its U.S. Munitions list but not as often as Commerce adjusts its Commerce Control List (CCL), she continues.
Any technology used for space–commercial, NASA-related, or defense–typically is ITAR controlled because it is integrated with launch vehicles, such as the Titan, which automatically come under the ITAR, say legal experts.
“The Bureau of Industry and Security (BIS) of the U.S. Department of Commerce frequently updates the Export Control Classification Numbers (ECCNs) on the CCL because major multinational agreements that govern many of the ECCN controls are updated frequently, Georgi says.
It is also important to keep up with lists of which countries receive friendly status and which are off limits, as well as which countries that fall under U.S. sanctions and United Nations sanctions. There are some countries that “are currently off limits, such as Iran, Cuba, Syria, Sudan, and North Korea, for virtually all products and technology, and those that are off limits for defense articles and technology, such as China,” Georgi says.
Export compliance should not be an afterthought that you need to go looking for, it should be part of your morning routine so to speak, says Karen Jones, vice president of export controls at XE Corp. (formerly Blackwater) in Moyock, N.C. “It’s the same when you go to brush your teeth, your toothbrush is right where you need it,” no searching is involved.
“People say to me, ‘this is so hard to set up;’ I say, ‘Of course it is, it’s export compliance,’” Jones says. “In response to export compliance systems, people say ‘this is harder, not easier’ these systems are not particularly designed for ease, though if they are easy it is definitely a benefit. They are designed for seamless compliance and what is hard for you now makes compliance easier later.”
Most common ITAR mistakes
The ITAR is fraught with complications that make it easy for companies to make mistakes if they are not vigilant. Georgi says she typically sees about five areas where companies slip up.
The first most common mistake Georgi sees among small businesses new to export compliance is the lack of any compliance program internally. They need to invest money and training in one person internally to handle the compliance process, she says.
Many businesses in this economy are so focused on sales that they do not spend the appropriate time making sure all their products are properly licensed, Georgi says.
Some companies also believe that having a compliance program on paper is enough, which is a mistake, Georgi notes. “Their program is largely ineffective because it does not tie in with actual company procedures or because they don’t have the trained export compliance personnel to help with issues,” Georgi says.
A third mistake that results in a vast number of violations is company failure to classify long-term products as ITAR or Commerce controlled, Georgi says. “Often I hear ‘we’ve been making this product for 50 years; it’s OK,’” Georgi explains. “Well, it doesn’t matter how long you’ve been making it, it still needs to be licensed or it is a violation.”
Another compliance oversight occurs when a “company has missed something in their program–such as foreign national employees or foreign procurement of controlled parts–or they don’t have controls that follow shifting programs or products,” Georgi notes. She calls this situation “ITAR creep”–when the company thinks they have covered every angle, but something sneaks up on them and they have a violation.
A fifth circumstance is when a company sees a potential export problem with one of its orders, knows it is a red flag, but goes ahead anyway because “they are so hot for the sale,” Georgi says. This very dangerous, she adds.
“When you have a red flag, you need to stop and look into it,” Georgi says. “In the ITAR world, you need to make sure you identify all the potential problems.”
XE’s Jones says one of the biggest mistakes she sees companies make is with their record keeping. They have a tendency to focus on getting the license, but then fail to maintain their records, she continues.
They need to answer all the requirements, “show that they did what they said they would do,” in case the government comes calling, Jones says. “It’s a lot more comprehensive than a driving or fishing license. Even a driving or fishing license has follow-on obligations–a munitions export license is no different in that but more complex.”
Just knowing what the proper records are is still not enough, Jones says. When doing export compliance, it is important to become intimately familiar with the process that supports the generation of each record, so that when someone wants to review or validate what you did, no one has to scramble, she explains. “The records are right where you put them for when you need them.”
Another area that requires close attention is writing product descriptions for a license application, Jones says. Companies “need to be aware of who their audience is. You need to look at it through the eyes of a customs official. Just because it looks right to you, doesn’t mean it will to them,” she adds.
The U.S. government assessed ITT Corp. with fines and forfeitures totaling $100 million for providing night-vision technology to foreign countries.
Prime contractors are set up well with large export compliance staffs and systems, but in such large organizations miscommunications sometimes happen, Jones says. Often someone will say “I didn’t know that was ITAR controlled, or a defense item, etc.”
Also sometimes they are so focused on what is happening now they do not plan for what may happen down the road with inventory that may be exported a year or two years later, Jones says. They still get the license and do the paperwork right, but find themselves scrambling at the last minute because they lacked foresight, she adds.
At small corporations, people are often too busy and need to focus on the definitions, Jones says. They need to understand “what they are doing, and keep it simple, breaking the compliance process down into simple elements.”
Officials at FLIR Systems, a designer of electro-optics and thermal imaging systems in Beaverton, Ore., recognized that fact and took it a step further at the Paris Air Show earlier this summer, says David Strong, vice president of marketing at FLIR.
FLIR made up a brochure to give to all their employees outlining the export compliance rules they were to follow while they were in Paris, Strong says. The State Department “was impressed with how organized we were,” he adds. However, Strong says he wishes the State Department would loosen its controls. There are many foreign companies that “make very high-quality products,” Strong says. “We need to be competitive with them.”
Foreign nationals under ITAR
Another area that companies may not understand is where and when a foreign national is allowed to be involved on defense technology development.
“If they become U.S. citizens or permanent residents, they are no longer foreign nationals and no license is required to work on unclassified military projects,” Georgi says. But even if they are not a citizen or permanent resident, it is fairly easy to get license to work on unclassified programs, she adds. However, if they fall under the list of proscribed nations, they will not get a license, she cautions. This list does change from time to time depending on U.S. policy and politics, so companies need to keep an eye on it, Georgi adds.
Countries such as China (for defense) and Iran (more broadly), however, will probably not be coming off any time soon, Georgi notes.
One ITAR compliance issue that can range from black and white to extreme shades of gray is the concept of dual use–when a technology is used for commercial and military applications.
Many dual-use cases are very simple. Missiles, for example, are on the U.S munitions list, Georgi says. A laptop computer for commercial applications, moreover, typically falls under dual-use and is not a problem, she continues.
Where it can be murky is when an integrated circuit designed for commercial applications is modified for an ITAR-controlled application, Georgi says. Here, the company will have to ensure it does not need a license; the company should not assume the IC is OK because it was originally a commercial product.
“Intent is very important in these cases,” Georgi says. If the intent was to design this product for the commercial market, but it ends up unchanged in a military program, it typically will fall under dual-use and not ITAR. Georgi warns, however, to “keep an eye on the Commerce Control List as some integrated circuits are subject to high-level Commerce controls.”
Do not go it alone
Lawyers like Georgi can be expensive, but consultants can help at lesser cost or companies can invest internally on training of one or more people to handle their export compliance, she says. They need to identify in their own ranks someone who is not afraid of reading regulations, such as the safety control or quality assurance manager, Georgi says.
A good combination would be to train the internal person, send them to export compliance classes and seminars, and then hire an outside consultant or attorney to work with the internal person, Georgi notes.
Dean Young, the internal ITAR person and facility security officer at Celestica Aerospace Technologies Corp. in Austin, Texas, says: find the outside experts and “don’t be afraid to ask the tough questions.
“Organizations like the Society for International Affairs (SIA), the National Classification Management Society (NCMS), and the ASIS are great resources and can provide contacts or information regarding ITAR or export compliance,” Young continues. “The SIA publishes manuals and material related to ITAR. The SIA ‘Compliance Insiders: Toolkit for Internal Compliance’ is a great tool for any ITAR program. This toolkit includes a great checklist that you can use to put an ITAR program into place or improve the current program.”
Sometimes companies do hire law firms such as Arent Fox to advise them on key strategic issues, such as voluntary disclosures and commodity jurisdiction issues, which is not super expensive, Georgi says. Where the costs go up is when “they say they don’t have the time and have me do everything.”
“Don’t be afraid to call an attorney who specializes in export compliance and law when you are confronted by issues regarding compliance and legal issues,” Young advises. “They really can provide proper guidance and keep you out of hot water.
“I would strongly advise companies to obtain expert assistance and counsel as they consider moving into this area,” Hanson says. “It’s not a cost that many companies like to pay, but the cost/risk ratio is too high to not contemplate such proactive work gravely.”
Richard Schulman, vice president of quality at Columbia Tech in Worcester, Mass., a contract engineering and manufacturing company that just got into the defense industry in the last year, says they are taking a conservative approach, even turning down requests for quotes if they think it might be too risky for export compliance. “We hired a consultant and went through some training,” and are looking into possibly hiring a law firm, Schulman says. “Hiring the consultant was the best decision we made,” he adds.
“It was brand new to us,” Schulman says. “We thought the registration process was straightforward,” but got hit right off with a technicality when we registered under the parent company and not the subsidiary doing the work.
“It’s a time suck,” Schulman says. “I now spend 50 percent of my time on ITAR instead of 100 percent on quality.”
Leadership and management support–“without it, a small program can fail or struggle to be in compliance,” Young says. Celestica and its parent company’s leadership and management have recognized the value of supporting our security programs and understand the value of compliance.
“Too many times we have read about companies who have really struggled or have been heavily fined for non-compliance,” Young continues. “As a small facility, we simply cannot afford to be non-complaint to any security regulation. Leadership and management work hard to ensure we are compliant through support of external and internal training and making sure all possible resources are available for a company to succeed.”
“Management commitment is critical to a successful program and the management support here is very strong and the commitment to excellence in export compliance is communicated at every level of the company to our most remote operating locations,” XE’s Jones says. “We have the benefit of our self-imposed Export Compliance Committee or ECC” that provides “meticulous scrutiny on every element of our compliance procedures, systems, and activities.”
How to set up an ITAR-compliance program
Kay Georgi, a partner with Arent Fox in Washington, provided the following suggestions on how to set up an ITAR-compliance program.
The key elements are:
- ) having management issue a policy indicating the importance of compliance and the consequences of non-compliance;
- ) establish a human reporting structure–who will handle what aspects of compliance;
- ) register with the State Department and make sure you keep your registration current;
- ) classify all known products and services, and set up a system for classifying new products;
- ) set up a system for ensuring products and services subject to the ITAR cannot be exported without a license, and bring business development into that process to ensure that proposals to sell defense articles are not made unless any approvals necessary are also obtained;
- ) establish a system for identifying ITAR-controlled technical data and a control plan for controlling it: a) in hard copy; b) in soft copy on computers, LANs, e-mail messages, etc. (involve your information technology department for this); c) by business travel; and d) by visits and meetings;
- ) involve human resources so that any licenses can be obtained for foreign nationals;
- ) involve procurement to ensure that ITAR parts are not procured abroad without ITAR review and licenses, if required;
- ) put in place record keeping procedures and reporting procedures;
- ) train employees on all of the above systems; and
- ) audit all of the above systems.
For more information on ITAR compliance, contact Georgi by e-mail at firstname.lastname@example.org or by phone at 202-857-6293.
High-profile ITAR violations and penalties
When a small company makes an ITAR violation, it does not typically make a ripple in the news industry; however, over the years, there have been a few cases that grabbed the world’s attention.
Export compliance made headlines in 2003 when Loral Space & Communications Corp., Boeing, and Hughes Electronics allegedly provided satellite launch rocket integration and failure analysis services in China during the 1990s, says Kay Georgi, partner at the Arent Fox law firm in Washington. Boeing acquired Hughes in the interim.
The problem was that the satellites themselves were commercial but the launch vehicles are defense items and fell under the ITAR, Georgi says. The process of integrating the satellites with the launch vehicles and determining the causes of launch failure subjected the services to the ITAR, she says.
In reaction to these investigations, Congress placed virtually all commercial satellites and space equipment under ITAR controls, Georgi says.
The most high profile of fines hit ITT Corp. in 2007, she says.
ITT was charged with illegally transferring classified and export-controlled, night-vision technology to foreign countries, according to a Department of Justice (DOJ) letter from John Brownlee, U.S. Attorney for the Western District of Virginia on the ITT case. The company had to plead guilty to two felony charges and pay $100 million in fines and forfeitures, according to the DOJ release.
ITT had to pay $100 million in fines forfeitures–$20 million fine to the Department of State (DOS), $2 million statutory fine as part of the guilty plea; $28 million forfeiture to the U.S. government–some of which will be shared with state, local, and federal law enforcement agencies for their work during this investigation and “$50 million in restitution to the victims of their crimes– the American soldier,” stated the DOJ document.
In 2008 Lockheed Martin was fined for providing classified and unclassified technical data related to the Hellfire missile to the United Arab Emirates.
DOJ suspended the $50 million fine for five years, during which ITT must invest and develop night vision technology for the U.S. military and the U.S. government maintains “Government Purchase Rights” to all technology developed–meaning the government can share any of the ITT technology with competing defense contractors for future contracts, the DOJ document states. The money spent on the technology must also be approved by the U.S. Army Night Vision & Electronic Sensors Lab in at Fort Belvoir, Va. Any of the $50 million unspent after five years must be paid to the U.S. government.
In 2008 Lockheed Martin and Northrop Grumman were also charged with major ITAR violations. More information on ITT, Lockheed Martin, and Northrop Grumman can be found on the State Department website at http://www.pmddtc.state.gov/compliance/consent_agreements.html.
In 2008 the Department of State charged Lockheed Martin Corp. with violations of the Arms Export Control Act and the ITAR for providing classified and unclassified technical data related to the sales of Hellfire missiles to the United Arab Emirates in 2003–2004.
The letter states that Lockheed Martin officials had thought that “because the UAE already possessed inventory of the missiles an export license to export the associated technical data (i.e., performance specifications) must have already been in place.” The State Department letter also states that Lockheed Martin took “steps to secure the return of the classified material to the U.S.”
According to the State Department Order document Lockheed Martin had to pay a civil fine of $4 million and provide full disclosure to the State Department DOS.
Also in 2008 Northrop Grumman was nailed for unauthorized export of controlled parts and technology for commercial inertial navigation units, according the State Department Web site. According to the State Department Order document on the website Northrop Grumman was ordered to pay a civil fine of $15 million and an additional $5 million in remedial compliance measures.