View
214
Download
0
Category
Preview:
Citation preview
NCURA REGION VI & VII 2011 SPRING MEETING
APRIL 3 - 6, 2011
Export Controls: In the Trenches: Hands-On Approach to Export
Compliance
Presenters:
Kay Ellis
Adilia Koch
Export Compliance Program
Licenses and Other Requests
Technology Control Plans
Recordkeeping
Voluntary Disclosures
PresentationOverview
KEEPING YOUR CAMPUS COMPLIANT
Export Compliance: “Preventing violations”
Develop an Export Compliance Management Plan
Risk Assessment – Where are the high risk areas? Shipping Procurement Sponsored Research
Specific colleges/unitsDevelop “best practices” and tools
Checklists NDAs, MTAs File for licenses and exemptions Technology Control Plans (TCPs) Manual Training
Maintain export control websiteRecordkeeping
Managing export controlled research
Assuming you can’t negotiate out the restrictive clauses - how do you manage the export controlled project?
Determining the need for a license
(Export Controls Review)Questions to Ask:
What is the nationality of researchers INCLUDING Professors and Research Assistants (grad students/post-docs)?
Will the researcher or grad student be receiving restricted information? Is it EAR controlled? Is it ITAR controlled?
Determining the need for a license (Export Controls Review)
Questions to Ask:Is the project strictly defense-related?If it’s ITAR, will the foreign national grad
student need to discuss the data with the sponsor?
Destination: Is the research technology or goods going overseas to a foreign company, government or individual? Does the PI want to take the
technology/equipment/data with him or her?
Determining the need for a license
Steps to Take:
Determine if license is needed for the technology/end user/end use
Determine if license exemption or exception is available
9
Do I need to be concerned about export controls in this research?
1. Public domain, and
a) No equipment, encrypted software, listed-controlled chemicals, bio-agents or toxins, or other restricted technologies are involved, and
b) Information/software is already published, and
c) There is no contractual restriction on export, or
2. Fundamental Research
(note definitions and caveats associated with this exemption)
1. Equipment or encrypted software is involved, or
2. Technology is not in the public domain, and
3. Technology may be exposed to foreign nations (even on campus) or foreign travel is involved, and
a) The equipment, software or technology is on the Commerce Control List, or
b) Information or instruction is provided about software, technology, or equipment on the CCL, or
c) The foreign nationals are from or the travel is to an embargoed country
4. The contract has terms e.g. a publication restriction that effect the Fundamental Research Exemption
NO
1. Equipment, software, chemical, bio-agent, or technology is on the US Munitions List (ITAR), or
2. Equipment, software, chemical, bio-agent or technology is designed or modified for military use, use in outer space, or there is reason to know it will be used for or in weapons of mass destruction, or
3. Chemicals, bio-agents or toxins on the Commerce Control List are involved, or
4. The contract contains a restriction on export or access by foreign nationals
YES
License Will Be Required
Probably(further review is required)
License May Be Required
Determining the need for a license
If no exceptions or exemptions, determine what kind of license is needed -
•EAR•ITAR•OFAC
What next?!
Next steps:
Get a licenseSet up a Technology Control PlanTrain the project personnelAudit the PlanKeep records
Register first!
If ITAR - must be registered with State (DDTC) http://www.pmddtc.state.gov/registration/index.html $2250 flat fee for first-time users and universities or
organizations not subject to taxation Need a digital certificate License submitted through D-Trade
If EAR – must register with Commerce (BIS) Free! http://www.bis.doc.gov/snap/pinsnapr.htm
If OFAC – no registration necessary
Bureau of Industry & Security(BIS): SNAP-R licenses
Deemed Export License (BIS 748P-B) Licenses are required for release of controlled technology
or software to a foreign national only if a license is required for the export of such items to the home country.
Commodity Classification Review the Commerce Control List (Part 774 Supplement
1) to identify (approximately) the ECCN or ECCNs that seem to be appropriate. Try to describe your item/technology in the control parameters used in the CCL entries.
Shipping license (BIS 748P-A)http://www.bis.doc.gov/snap/index.htm
Submitting an OFAC license
No required form – provide a detailed description of proposed transaction, including names and addresses of all involved
States in the license records shall be made available upon demand for at least 5 years
Call Licensing Div. (202) 622-2480 or Compliance Div. (202) 622-2490 for statushttp://www.treasury.gov/about/organizational-structure/offices/Pages/Office-of-Foreign-Assets-Control.aspx
Most Commonly Used ITAR Forms and Agreements
DSP-5 License for permanent export of unclassified
defense articles and related unclassified technical data
License for foreign employees/students “Vehicle” for online submission of TAA
Technical Assistance Agreement (TAA) an agreement for the performance of a defense
service(s) or disclosure of technical data
Most Commonly Used ITAR Forms and Agreements
DSP-83 Nontransfer and Use Certificate required for export of significant military equipment (SME) and classified articles/data
DSP-73 License for Temporary Export of Unclassified Defense Articles
Commodity Jurisdiction (CJ) – Purpose is to determine whether an item or service is covered by the U.S. Munitions List (USML)
Commodity Jurisdiction (CJ) Requests: “What to do when you don’t know what to do”
ONLY STATE CAN DETERMINE JURISDICTION
EAR or ITAR?
Need to go to the authority - State Department has sole authority not the PI not the Sponsor not DoD not Commerce
You do not need to be registered with State
to submit a CJ
Before you start writing…
Ask yourself the 3 most obvious questions Who is funding the project?
(DoD? NASA? NIH?) What is the intended end-use?
(Military? Commercial? Both?) What is the actual technology involved?
(Surveillance? Space?)
Then ask yourself these…
Does the item or technology have predominant military, space or intelligence application?
Was it designed, manufactured or tested to meet military or commercial specifications?
What is the current predominant application?Does it have performance equivalent (in form, fit and
function) to an item used for civil application? Is there sufficient justification for Commerce or State
Department jurisdiction?
If it looks like a duck…
The CJ process is there to use when there is doubt about a technology’s or commodity’s jurisdiction
When writing a CJ, you’re usually trying to argue your item is not subject to the ITAR
CJs take time to write and even more time to processDon’t waste time on a CJ if there is no doubt your project
is controlled under the ITAR and you have no justification for reconsideration
If the intended end-use is for a military application, there is no doubt – it’s ITAR-controlled
And it sounds like a duck…
Follow your instinctsDon’t believe everything PIs tell you no matter how
confidently or definitively they state itMost PIs, unless they’ve worked in industry, are not
experienced with or savvy about these regulations – high level of naiveté
Dig for information, ask lots of questionsAsk them again and again
Some assertions I’ve heard….“This (satellite) information can’t be ITAR-controlled to Japan – they’re a peace-loving nation. They are our allies.”
“DHS doesn’t fund ITAR-controlled work because DHS is a civilian law enforcement agency.”
“We can’t call it ITAR because we don’t know the end use. The sponsor won’t tell us because it’s classified.”
“I have a document marked ‘ITAR-controlled’ but it’s also marked ‘uncontrolled when printed.’ I have a printed copy so I guess it’s not export-controlled.”
It is a duckPrime is DoDSponsor won’t tell you which agency within DoDContract terms and conditions contain restrictions on
publication and participation of foreign nationalsStatement of Work asserts “innovative and advanced
research”End-use is for a military application
It’s an ITAR duck
Doubt arises when…
The sponsor’s determination differs from yoursYou’re modifying a defense article substantially for a
commercial purpose*You are collaborating with another university that is
treating the project differentlyYou request a classification or a license from BIS and
they advise you to submit a CJ
*If you’re modifying an item for a military purpose, it’s ITAR-controlled.
Tips on writing CJs
Include as much information as possiblePI or technical staff must participate in writing the CJ –
they need to explain the technology clearlyTry to anticipate questionsDon’t try to fudge
Predominant means most of the time Identical means exactly the same Modified means modified – no matter how insignificant
the change may seem
Tips on writing CJs
Two legitimate arguments: Your commodity is not a defense article and is not on the
USML Your commodity was a defense article but has been
modified so it no longer has military application
Tell them how you think it should be classified, e.g. Dual-use, EAR99, ECCN 3A992, etc.
Tips on writing CJsFollow the Guidelines – these are not in the regulations –
they are online see: http://www.pmddtc.state.gov/commodity_jurisdiction/index.html
DDTC often posts information on its webpages – always check for the latest information
CJs must be uploaded* to DDTC using their Electronic Form Submission software. Requests must include fully executed DS-4076 CJ Form and all supporting documentation 120.4 (c) revised – no longer need original and 7 collated copies!
*as of September 3, 2010
CJ Processing
Interagency reviewPer DDTC usually less than 65 business daysMay get calls for additional information, be ready to
answer or have PIs and Researcher prepared to respondBe courteous and professional and make sure the PI and
Researchers are as wellDon’t blame the reviewers, they’re just doing their jobs
Documenting Export Controls Compliance:
Technology Control Plans
ELEMENTS OF A TECHNOLOGY CONTROL PLAN
License or Technology Control Plan?
In some situations it is possible to put a TCP in place instead of applying for a license
A TCP is simply a plan that outlines the procedures to secure controlled technology (e.g., technical information, data, materials, software, or hardware) from use and observation by unlicensed non-U.S. citizens If this is not possible, then a license or technical
assistance agreement would be needed
Technology Control Plans (TCPs)
If you have export-controlled projects at your university you need technology control plans
Elements of a TCP Commitment Personnel Screening Physical Controls IT Security Recordkeeping Communication and Training Ongoing audits and assessments
When do you need a TCP?
In conjunction with a Technical Assistance Agreement (TAA) – Dept. of State
In conjunction with a Deemed Export license – Dept. of Commerce
In conjunction with an agreement that does not allow foreign nationals
In conjunction with an agreement that involves controlled technology – includes NDAs
Or in conjunction with any project that involves controlled technology!
What are some key elements to consider in developing a TCP?
A TCP is project-specific!
Authorized personnel should be identified
Export-controlled information must be identified and marked as export-controlled
Project data and/or materials must be physically shielded from observation by unauthorized individuals by operating in secured lab spaces or time blocks
Work products such as soft and hardcopy data, lab notebooks, reports, and research materials should be stored in locked cabinets preferably in rooms with key-controlled access
More elements to consider…..
Key controlled access by authorized personnel only
Equipment or internal components such as operating manuals and schematic diagrams containing identified export-controlled technology must be secured
Disposal of export-controlled informationDiscussions about the project
authorized personnel only and in secure area no third-party discussion unless conducted under
signed agreement with U.S. citizen limitations
Even more elements to consider…..
Export-controlled electronic communications and databases need to be secured. Such measures may include: user ID, strong password, SSL or other approved
encryption technology (TrueCrypt) activate screensavers after 10 minutes full disk encryption for laptops
Must include any project specific restrictions
PI must approve and all project members sign off
Now that the TCP is in place…
Project personnel need to be trained or briefed prior to the start of the project
Update TCP Certification every semester – project personnel could change
Retrain project personnel at least once a yearAudit project to make sure TCP is being
followed Get IT folks to help audit electronic security measures
Now that the project is over…
Security measures should remain in effect to protect export-controlled information unless earlier terminated when the information has been destroyed or determined to be no longer controlled.
The devil is in the details!
Export Compliance: Recordkeeping
What’s required of us?
Federal Sentencing Guidelines: Effective Compliance and Ethics Program In general, requires the “…exercise (of) due
diligence to prevent and detect criminal conduct; and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” United States Sentencing Commission, Guidelines
Manual, §8B2.1(a) (Nov. 2006)
What’s required of us?
The USSC’s 7 Step Program Establish standards & procedures Knowledgeable governing authority with reasonable
oversight Authority personnel does not include individuals
engaged in illegal activities Effective training programs Monitoring, auditing, periodic evaluation, and a
reporting system for employees & agents Consistent enforcement Respond to non-compliance w/ reasonable steps
So where is recordkeeping?
The USSC’s 7 Step Program Establish standards & procedures Knowledgeable governing authority with reasonable
oversight Authority personnel does not include individuals
engaged in illegal activities Effective training programs Monitoring, auditing, periodic evaluation, and a
reporting system for employees & agents Consistent enforcement Respond to non-compliance w/ reasonable steps
But, what is a record?
National Archives & Records Administration 36 Code of Federal Regulations (CFR) 1220 Section 1220.14 General Definitions: Records include all
books, papers, maps, photographs, machine readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations or other activities of the Government or because of the informational value of the data in them (44 U.S.C. 3301).
In Export Control-speak…
Export Administration Regulations (EAR) Part 762 Recordkeeping
International Traffic in Arms Regulations (ITAR) Part 122 Registration of Manufacturers and Exporters (122.5),
with an additional clause at Part 123.26 Recordkeeping requirement for exemptions
Documentation must be kept five years after the expiration of license
EAR Part 762
Scope Transactions involving restrictive trade practices;
exports/reexports; Canadian exports if involving non-U.S./Canadian persons with an interest; or any other transactions subject to the EAR
Records to be Retained Memoranda; Notes; Correspondence; Contracts;
Invitations to Bid; Books of Account; Financial Records; Restrictive Trade Practice or Boycott Documents/Reports, and Other records describing those transactions
Bottom Line: Anything about Anything!
ITAR Part 122.5
Maintenance of records by registrants “…maintain records concerning the manufacture,
acquisition and disposition (to include copies of all documentation on exports using exemptions and applications and licenses and their related documentation), of defense articles; of technical data; the provision of defense services; brokering activities; and information on political contributions, fees, or commissions furnished or obtained, as required by part 130 of this subchapter.”
Bottom Line: Anything about Anything!
How should I keep records?
Lessons learned from case history: Electronic systems are valid, but not required;
operational needs can (and should!) be considered in this decision
Deleting electronic records is OK; as long as all the information is available elsewhere
Record management is KEY!
Voluntary Disclosures
Export Compliance: “When Stuff Happens”
What should you do if think you have a violation?
Have a processDocument what the process is and
who needs to be involved Empowered Official VPR Legal Department Dean or Department Head
Stop the activity immediately!
51
Voluntary disclosures – initial letter
If you realize a violation has occurred, the appropriate agency should be notified ASAP! Penalty (hopefully!) will be less severe
Send a brief initial notification pursuant to 15 CFR §764.5 Office of Export Enforcement
(Commerce/BIS) 22 CFR §127.12(c) Office of Defense Trade Controls
Compliance (State)State the matter is under internal review and
complete narrative account will follow per 15 CFR §764.5(3) and (4) or 22 CFR §127.12(c)(2)
52
Voluntary disclosures – Agency response
Commerce:
The BIS Office of Export Enforcement will respond upon receipt with instructions Per §764.2(e), can’t do anything (order, buy, remove,
store, use, loan, forward, service, etc.) with the item(s) in question
Per §764.5(f), can request permission to engage in activities that would otherwise be a violation
53
Voluntary disclosures – Agency response
State – DDTC:
The Office of Defense Trade Controls Compliance, Enforcement Division (DTCC/END) will acknowledge receipt and assign a case number
Per §127.12(c)(1)(i), you must submit full disclosure within 60 days of date of letter
Can ask for an extension but must specify what and why required information could not be provided
54
Voluntary disclosure – next step
Compile the facts – what happenedGather supporting documents and
information Names, addresses, citizenship Equipment lists (chart or table format)
Manufacturer and model number Quantity and unit cost ECCNs and/or USML categories
Phone calls, logs, meetings
55
Voluntary disclosure – supplementary letter
Show corrective action taken and the measures put in place to prevent it from happening again, such as: Annual export control training Set up technology control plan Enhanced website with links to export control
procedures and forms Implemented internal procedures to ensure no
exports are made without a license or license exemption
Implemented a formal export approval process
University commitment to compliance
56
Voluntary disclosure –supplementary letter
Give background information (project description)
Describe the violations (unauthorized export, recordkeeping, license terms) What (item and categories) When (supply dates) Where (countries) Who (people involved and citizenships) Why (give explanation of reasons for violation)
Closeout
Hopefully you will get a letter stating “ we are closing this case without taking action” They can reopen the case
State or Commerce could require an outside audit
Worst-case scenario, the institution get fined or the PI faces jail-time and fines
Things to remember
Don’t jump to conclusions May not be an export violation at all, could be a
misunderstanding or a violation of an internal process
We live in an electronic world◦ Documents are emailed, downloaded, backed-up to
servers, copied to thumb drives, posted to websites, printed out
◦ All of these methods must be reviewed, including who had access to what, by which means and whenMust be a closed loop process
Ensure corrective actions are implemented Check back in a couple of weeks to make sure they
are working
Discussion Time
Adilia KochAdilia Koch Kay EllisKay Ellis
Director of Export Compliance
California Institute of Technology
adilia.koch@caltech.edu
626-395-4469
Export Control Officer
University of Arizona
ellisk@email.arizona.edu
520-626-2437
Contact Information
Recommended