The European Commission (the Commission) recently issued draft guidelines on the core elements that European industry should take into account when implementing internal export controls and sanctions compliance programs. The guidance – which is legally non-binding – will be finalized upon the results of a public consultation providing the opportunity for EU exporters to comment on its core elements. Companies can participate by responding to a survey until November 15. It is the intention of the Commission to share the results of this survey with a Technical Expert Group before finalizing its guidance.

Internal compliance programs (ICPs) have long been part of a culture of compliance in the US, but much less so within the European Union. However, ICPs are increasingly viewed in the EU as a key element for an effective export control system. While not expressly alluding to ICPs, the EU Dual Use Regulation has encouraged Member States to take into consideration whether a company employs adequate means and procedures for compliance when assessing applications for global export authorizations. In addition, ICP guidelines have been introduced by some Member States as a tool to better monitor compliance with EU and national export controls. The EU Dual Use Regulation Recast Proposal formally introduces standardized operational ICPs as part of the assessment in the granting and control of global export authorizations and certain general export authorizations. In implementing these ICP guidelines, the EU is acting pursuant to the multilateral provisions of the Wassenaar Arrangement that have expressed support for ICPs and for this type of regulatory guidance.

The US System

In the US, the export controls and sanctions regulatory agencies have put the implementation and monitoring of ICPs at the top of their agenda for many years.

For example, the US Treasury Department’s Office of Foreign Assets Control (OFAC) lists “the existence, nature and adequacy of a Subject Person’s risk-based OFAC compliance program” as a factor in its Economic Sanctions Enforcement Guidelines in determining the nature and extent of any penalty to impose when an apparent violation is identified, along with being a key element in assessing the remedial response of companies that are the target of enforcement action. OFAC commonly treats the absence or inadequacy of a company’s compliance program as an “aggravating factor” in its enforcement actions. OFAC has quite a bit of guidance about compliance programs for various industries on its website, particularly for the financial and insurance industries.

The US Commerce Department’s Bureau of Industry and Security (BIS), responsible for dual-use export controls, has for years had compliance program guidelines posted on its website, and similarly considers the adequacy of a company’s compliance program as a factor in guiding its enforcement actions. Other US government agencies, such as the Department of Justice, also have significant online resources in place providing their views on the key elements of an effective compliance program.

The EU’s ICP Guidelines

The EU’s guidelines provide the following illustrative list of the core elements of an effective ICP structure:

  1. Top-level management commitment to compliance
  2. Organisation structure, responsibilities and resources
  3. Training and awareness raising
  4. Transaction screening process and procedures
  5. Performance review, audits, reporting and corrective actions
  6. Recordkeeping and documentation
  7. Physical and information security

The EU guidelines make a number of points that are particularly noteworthy, such as the following:

  1. The guidelines note at the outset that an effective ICP must be tailored to the particularities of the company, which generally calls for a risk assessment to be conducted at the outset of the process of designing an ICP, and to be revisited periodically as the business and regulatory environment change over time.
  2. Companies should ensure that the compliance function is free of conflicts of interest organizationally, such as by making it independent of the sales function, and that it has the power to stop transactions when necessary.
  3. The guidelines note that any transaction screening process should not only focus on the dual use goods classification of the exported item but also on its end-use and whether it is intended for a jurisdiction subject to an EU sanctions regime.
  4. The guidelines also raise the point that a company’s recordkeeping policy should go beyond the documents required by law and should also include proactive documentation of its compliance process, described as documents that “may be in your company’s best interest to maintain.”
  5. In Annex 2, the guidelines provide a list of red flags relating to suspicious enquiries, which are similar to those issued by the US, UK and other authorities. One particularly noteworthy “red flag,” for example when trading with China or other state-dominated economies, is “the end user is tied to the military, the defence industry or a governmental research body and the stated end use is civilian.”

Other aspects of the guidelines may call for some elaboration and refinement by the Commission before finalizing this document, such as the following:

  1. The vague recommendation for screening transactions for “sensitive destinations,” which are described as “not embargoed or sanctioned, but the shipment of (certain) dual-use items thereto can be critical in individual cases, for example because of proliferation or human rights concerns. Member State governments can implement their own approach on this matter.” Harmonized EU-wide guidance on which countries or parties raise these concerns would allow companies to act on this in a practical way. The Commission should also provide guidance about what it means for a company to be “aware” that there is information of concern about a customer’s stated end-use, for example by listing restricted or high-risk end-uses and describing the nature and extent of a company’s due diligence obligation in various circumstances.
  2. While it is positive that the EU guidelines mention physical and information security, the authorities should consider issuing clarifying guidance on the nature and extent of EU companies’ obligations to restrict “intangible” technology transfers, which some view as an enforcement gap in the EU system as compared with the US system. The reference in these ICP guidelines only to the “removal” of controlled information could raise a question about whether purposeful technology transfers to restricted persons or destinations is problematic under EU law.
  3. It is noteworthy that the EU’s ICP guidance does not go as far as to state that the adequacy or inadequacy of a company’s ICP would be treated as a factor in enforcement decisions, leaving the topic of enforcement to the competency of national level authorities.

While these EU ICP guidelines are a step in the right direction and may be of interest for European exporters, the Commission would benefit from industry input to help make this document more practical and complete. Without exceeding its authority vis-à-vis national regulators, the Commission should go as far as it can in the final version of these guidelines to provide the latest information on best practices and be as specific and pragmatic as possible in stating what the expectation is of a compliant EU exporter. We will be looking forward to seeing the next iteration of the ICP guidance.