Violations of International Traffic in Arms Regulations
Even as one of the most overlooked issues in export controls, the elevated risks technology transfer poses require it to be a cornerstone of any effective compliance program. While many develop corporate policies that address technology transfer, the creation and disciplined execution of detailed procedures to ensure the policies’ operating effectiveness is where weaknesses can arise.
In a digital world with rapid ways of moving technology, controlling these transfers creates significant challenges as illustrated just last month in the $51 million settlement between a global aerospace and defense company and the US Department of State. The company committed close to 200 violations of the International Traffic in Arms Regulations (ITAR), most of which had occurred prior to 2020. According to the proposed charging letter, some of the primary violations included:
- Unauthorized exports and transfers of technical data to foreign national employees and contractors;
- Unauthorized exports of defense articles and technical data designated as Significant Military Equipment, which require non-transfer and use certificates; and
- Breaches of license terms, conditions and provisos of the Directorate of Defense Trade Controls (DDTC) authorizations.
These violations also included transfers of this sensitive data to the People’s Republic of China, which is a proscribed destination under the ITAR, and shipped unauthorized exports to Russia. The transgressions occurred across multiple subsidiaries and business units.
Although the company for the most part had requisite licenses or agreements in place, they did not properly follow the conditions. Among others, employees downloaded electronic files containing ITAR-controlled data when overseas at partner facilities and did not add employee providers to Technical Assistance Agreements which led to unauthorized re-transfers of technology.
Navigating technology transfer from the export control lens
While specifically defined in the ITAR and Export Administration Regulations (EAR), the terms “technology” and “technical data” generally refer to specific information required for the design, development, production, testing, operation, maintenance and repair of controlled defense and/or dual-use items. This encompasses an array of materials and intangibles such as blueprints, engineering designs, diagrams, software code, formulae, manuals and other documentation.
From both the ITAR and EAR perspectives, if a physical export of a product is controlled, the technology employed to produce or use the product is also controlled and requires a license. For example, if the technology to manufacture a controlled product is contained in blueprint, then an export occurs when the blueprint leaves the US for another country, even if sent electronically.
Since exports can be electronic in nature, transmitting technology by fax, phone, email or any other electronic means to a destination (including a person) outside the US is considered an export. Some common mistakes related to technology transfer include:
- Sending digital data links to foreign persons, including employees
- Downloading files containing controlled technical data when overseas at partner facilities
- Providing drawings with technical data in proposals before obtaining proper authorization
- Hand carries
- Neglecting to add employee providers to Technical Assistance Agreements
- Training a foreign person (whether inside or outside the US) in the design, development, use or testing of controlled technology or equipment without requisite authorization
- Re-transfers of documents with technical data
- Forwarding emails with controlled documents
- Providing technical data to people participating in training activities
US companies transferring technology to foreign nationals, including employees, must ensure they have robust systems for keeping the data secure. In addition to having written procedures and employee training, a key strategy for maintaining control over the security and confidentiality of data from inadvertent exposure is controlled by implementing premier cybersecurity solutions. Some options include using multiple layers of protection (e.g., passwords, multifactor authentication, end-to-end encryption, etc.) to access sensitive data, tracking access to export controlled technical data and storing controlled information on a secure server managed by US citizens only.
RSM US takeaways
This recent case serves as a reminder for all US companies and their foreign subsidiaries that transfer technology to ensure compliance with US export control laws. Exporters must conduct ongoing training of all applicable personnel as well as perform continuous risk assessments, compliance monitoring and detailed audits to ensure that they are working as intended and make improvements when warranted. This will help companies avoid substantial fines, penalties, imprisonment, legal fees and reputational damage, among others.
RSM’s Trade Advisory experts have proven industry experience with export controls and sanctions from their many years as corporate leaders and consultants. Together with our Government Contracting practice, our tenured teams can conduct risk assessments and tailor programs to assist corporate leaders enhance control environments and minimize risks.