Jessica Sanderson, a Partner at The Volkov Law Group, rejoins us for an important posting on the importance of compliance with defense trade controls.
On December 5, 2022, the Department of State, Directorate of Defense Trade Controls (“DDTC”) issued new Compliance Program Guidelines, “intended to provide an overview of an effective compliance program and an introduction to defense trade controls,” including information on the Arms Export Control Act, 22 U.S.C. § 2751 et seq. (“AECA”), and the International Traffic in Arms Regulations Title 22 of the Code of Federal Regulations, Subchapter M, Parts 120-130 (“ITAR”).
The new Guidelines set forth DDTC’s expectations for an effective ITAR Compliance Program (“ICP”). Specifically, the Guidelines: (i) contain information on the eight “key elements” of an effective ICP, (ii) identify “common ITAR risk areas” or compliance pitfalls that may lead to ITAR violations, (iii) provide numerous suggestions for best practices related to the key elements of an ICP, and (iv) offer a “sample audit checklist” that organizations can use to evaluate their ICPs. As with similar agency guidance regarding compliance programs (e.g., from OFAC, DOJ and SEC), DDTC suggests that there is no one-size fits all approach; “ICPs should be tailored to address each organization’s ITAR-controlled activities, risk factors, and size.”
In particular, DDTC identified the eight (8) “elements” below as critical for an effective ICP:
- Management Commitment
- DDTC Registration, Jurisdiction and Classification, Authorizations, and Other ITAR Activities
- Reporting and Addressing Violations
- Risk Assessment
- Audits and Compliance Monitoring
- Export Compliance Manual and Templates
In our view, any entity that manufactures, designs, exports, brokers, or imports defense-related articles, services, or technical data identified on the United States Munitions List (“USML”) should use the new Guidelines to re-evaluate its ICP before the end of 2023. Your assessment should, at a minimum, include a review of the eight key elements, which are fully discussed in the Guidelines.
Fortunately, DDTC provided a “sample audit checklist” that organizations can use to evaluate their ICPs. The checklist contains dozens of questions (at pages 48-59 of the 63-page guidance document) that companies can use to conduct an audit. Companies with sufficiently experienced and available internal resources can use the checklist to conduct their own internal audit: Your personnel conducting the audit should be able to answer the relevant questions through interviews of key employees and document review. Companies lacking sufficient internal resources and/or with greater risk profiles should consider engaging an outside expert, who would be prudent to ask and answer the questions in the Guidelines.
Sample New Year’s ITAR-Related Resolutions
- Relatively Simple, Inexpensive Enhancements
- Management commitment; Do you have a statement from the Board or C-Suite clearly communicating your organization’s commitment to compliance with U.S. export control laws and regulations?
The Guidelines suggest a signed statement of senior management commitment is a “critical way to demonstrate strong management support for ITAR compliance.” If you haven’t done so already, 2023 would be a good time to execute such a statement and communicate the statement to employees through all appropriate channels.
- Training; when was the last time you offered training to your employees in sensitive functions?
The Guidelines suggest training is critical and should be tailored to address company’s specific compliance risks. If you haven’t provided ITAR-related training in the last year or so, 2023 would be a good time to offer ITAR compliance training to your employees and/or key business partners. Depending on your budget and risk profile, you could offer on-line or in-person training, both of which are generally affordable and easy to roll out.
2. Recommended Resolutions To Commence in 2023: These May Require More Resources But Will Be Worth the Investment
- Risk Assessment; when was the last time you assessed your risks to determine whether you are appropriately allocating your resources to address your greatest risk areas?
DDTC suggests (and we agree) that an organization should periodically review its risks to determine whether those risks are properly addressed. After performing an ITAR risk assessment, “organizations should analyze and prioritize those risks based on all relevant factors, including the likelihood that such risks would result in ITAR violations. Organizations should then integrate their risk-based analysis and prioritization into their ICPs and allocate resources as appropriate to mitigate those risks.” Even if you conducted a recent risk assessment, you may wish to re-evaluate your risks in 2023 in light of the new DDTC guidance. Now that DDTC has identified “common ITAR risk areas” that may lead to violations, companies should, at a minimum, determine if they are vulnerable to those risks and, if so, whether they are properly controlling for those risks.
- Audits; when was the last time you conducted an audit to test the effectiveness of your ICP? Was it a comprehensive audit or was it limited to certain functions or business units? If you did conduct an audit, have you followed up to ensure corrective actions/ remediation of identified gaps or deficiencies? Have you ever engaged an external expert to provide an unbiased, third-party evaluation of your organization’s ITAR compliance program and practices?
DDTC suggests (and we agree) that an organization should periodically audit their ICPs. As the Guidelines note, “Comprehensive, independent, and objective audits, performed regularly, assist organizations in determining the effectiveness of their ICP. Such audits allow organizations to identify deficiencies in their ICP and remediate them.” In our view, which is shared by most regulators and prosecutors, companies should ensure that their ICP is not merely a “paper program,” but rather is one that is implemented, followed in practice, reviewed, and revised, if necessary, in an effective manner. Similarly, if your past audits have identified specific deficiencies, you should ensure that you have implemented corrective measures.
Again, even if you conducted a recent compliance program audit, you may wish to conduct another audit in 2023, using the new DDTC Guidelines to evaluate the effectiveness of your program. Following the guidance, smaller companies with relatively low risks and sufficient in-house resources should be able to conduct their own an internal audit using the provided checklist, and conceivably could limit their audit to certain higher-risk functions or business units. Larger companies and/or companies with greater risk factors may wish to consider engaging external experts to conduct a comprehensive, objective audit, especially if the company has never done so before.
Key Takeaway: The stakes have been raised. DDTC has now made its expectations clear, and a failure to meet those expectations could lead to adverse consequences. Affected companies should, therefore, take the time in 2023 to fully understand and embrace the new guidance, and to build a better ITAR compliance program.