On March 6, 2014, the Directorate of Defense Trade Controls (DDTC) within the Department of State announced it had entered into a $20 million settlement agreement with Esterline Technologies Corp., a Washington-based specialized manufacturer. Esterline agreed to settle claims over hundreds of alleged civil violations of the Arms Export Control Act (ACEA) and the International Traffic in Arms Regulations (ITAR).
Esterline voluntarily disclosed that several of its subsidiaries violated the ITAR. Following that disclosure, DDTC alleged that Esterline and its subsidiaries had committed multiple violations consisting of, among other actions, unauthorized exports of defense articles including aviation electronics, control devices, and subsystems for military airplane cockpits and vehicles, unauthorized temporary imports of defense articles, violations of terms and conditions of licenses, and improper use of exemptions.
DDTC also determined that Esterline exercised inadequate corporate oversight and failed to establish an adequate export compliance program within companies it had acquired. Specifically, the DDTC pointed to Esterline’s large number of acquisitions since 2004. Initially, an external audit by Esterline had concluded that the company and its subsidiaries generally complied with the ITAR. However, that audit’s findings were subsequently reexamined when systematic program-wide weaknesses were found the following year. The initial external review had failed to identify myriad ITAR violations.
Despite the hundreds of alleged violations, DDTC took into account several mitigating factors when assessing its $20 million fine. Specifically, DDTC noted that Esterline’s alleged violations did not disclose sensitive technologies or harm national security; Esterline disclosed the alleged violations and cooperated with the agency to investigate the violations; and Esterline planned extensive remedial measures. Due to these mitigating factors, DDTC declined to debar the company and prohibit it from participating directly or indirectly in the export of defense articles and services.
These mitigating factors also led DDTC to suspend $10 million of the fine if Esterline expends that amount on certain remedial measures. The remedial measures included additional training for principals and employees, two external audits of its compliance program, and the appointment of a special compliance official to oversee the settlement agreement.
So, what are the lessons to be learned from the Esterline decision:
- First, you should make sure that extensive due diligence of export compliance risks is part of any acquisition, particularly if the target company is engaged in a high-risk industry. It appears that Esterline did not perform sufficient or adequate due diligence when acquiring new companies since 2004. Given that liability under the ITAR extends five years from the date of an alleged violation, companies should be mindful of any potential violations that may have occurred within the five year period preceding the closing of any acquisition. Furthermore, the liability follows the operative assets of a business and cannot be carved out contractually.
- Second, after acquiring a company, you should invest significant resources in integration. This should include training, reviewing existing compliance policies and procedures, uniform minimum or mandatory policies and procedures, and vetting staff, among other actions. DDTC found that many of Esterline’s alleged violations resulted from insufficient knowledge of the ITAR combined with a weak corporate compliance program. The violations could have been substantially mitigated if Esterline had invested the time and resources to bring these companies properly into compliance after their acquisition.
- Third, you should have a strong, centralized compliance staff. As mentioned above, Esterline’s compliance staff did not exercise sufficient oversight to prevent the alleged violations, nor did it train employees and principals to recognize possible ITAR issues. You can prevent that by having a centralized compliance staff with a general knowledge of all your subsidiaries’ lines of business who can centralize training. Compliance staff cannot remain static as their zone of responsibilities will evolve as you acquire and divest businesses over time.
- Fourth, external audits, while important, should not be a rubber stamp for your company’s export control program. Those external audits must be conducted thoroughly and should be used as a tool to identify gaps and recommend compliance improvements. Esterline’s external audit “identified weaknesses,” but was apparently too superficial to identify the true extent of those weaknesses. You must exercise care when choosing an external service provider to perform compliance assessments and rely on internal resources who know your company.