The European Commission recently issued draft "best practices" guidance on the core elements that companies (and other entities) should include in their internal compliance programmes (ICPs) for trade in dual-use goods, software and technology.1 The focus is on export of dual-use items, but the guidance could be useful for certain aspects of sanctions compliance, for example, as well. To allow a technical expert group of Member State representatives to finalize it for publication, the Commission has asked for feedback on the draft ICP guidance via an online survey by 15 November 2018.2
The EU's Dual-Use Regulation3 does not explicitly require companies to put in place an ICP, but provides for general consideration in the authorization context of whether exporters have "proportionate and adequate" means and procedures to ensure compliance. As a result, Member States may require ICP implementation for simplified procedures or otherwise take it into account in their enforcement activities. In addition, draft EU legislation aiming to modernize dual-use controls4 currently provides for ICP implementation as a prerequisite for certain authorizations. In that vein, the objective of the draft ICP guidance is to provide a non-binding instrument identifying the core elements for an effective ICP under the EU Dual-Use Regulation.
ICP core elements
The draft ICP guidance considers the following seven core elements essential to ensure an effective ICP for companies involved in dual-use exports (which could be applied in the sanctions compliance context):
1. Top-level management commitment to compliance: Companies should develop a written corporate commitment statement confirming top-level management’s specific compliance expectations and ICP support, and ensure that it is communicated to all employees (and possibly to third parties through corporate websites).
2. Organisation structure, responsibilities and resources: Companies should ensure that sufficient organisational, human and technical resources are available for effective ICP development and implementation. This includes giving at least one person overall responsibility for compliance; setting up an internal organisational structure with well-defined responsibilities and back-up functions; ensuring that relevant staff is kept fully up to date on applicable rules, protected from conflicts of interest (e.g., sales pressure), and has power to stop transactions; and drawing up an ICP manual.
3. Training and awareness raising: To ensure that trade control staff have the necessary expertise and take compliance duties seriously, they should receive compulsory, periodic training (e.g., external seminars, in-house training events). This also includes raising general compliance awareness for employees at all relevant levels (e.g., purchasing, engineering, project management, shipping, customer care and invoicing).
4. Transaction screening process and procedures: As part of internal measures to ensure that transactions are not violating applicable trade controls, it is critical that companies perform the following:
- Determine any item control classification, or if the item is otherwise subject to trade controls (e.g., sanctions);
- Assess transaction risk, including through sanctioned destination and party checks, and end-use/party and diversion risk screening (also in light of catch-all controls and specified red flags);5
- Identify (and fulfil) any licensing requirement;
- Ensure final pre-shipment checks, including compliance with authorization conditions.
5. Performance review, audits, reporting and corrective actions: Companies should ensure that the ICP is regularly reviewed, tested and revised. This includes establishing control mechanisms for the day-to-day compliance work with whistleblowing and escalation procedures; internal or external audits to confirm correct ICP implementation; and documentation and communication of any corrective actions (plus potential communication with the competent authority).
6. Recordkeeping and documentation: This involves ensuring proper safekeeping of relevant records under Member State rules and easy filing access, including through record retention requirements in any contracts with third parties (e.g., distributors).
7. Physical and information security: Companies should prevent unauthorized removal of controlled items by employees or third parties, including through restricted company access areas, but also the necessary tools to protect items in electronic form through file encryption, antivirus checks, firewalls, etc.
The draft guidance emphasizes that an ICP should be tailored to the size, structure and scope of a company's business, and recommends that the ICP development process should start with a risk assessment to identify the company's individual dual-use trade risk profile. With this in mind, it features a list of frequently asked questions6 for developing or reviewing a company's ICP.
While many EU exporters of sensitive items will already have in place an ICP, it would be useful for them to review the above draft core elements and consider whether any changes to current company compliance procedures may be appropriate. It would also be important to monitor when the final ICP guidance is issued, and any related Member State activities and requirements that may develop as a result.