Compliance with export control laws is one of the main challenges of a compliance department. Yet significant personal risks for management have put the topic high on the agenda of legal/compliance departments. To enhance their level of compliance with these rules, the European Commission (commission) just published its recommendation on internal compliance programs (ICP) for dual-use trade controls (the guidance). The guidance contains legally nonbinding elements that should be considered by EU companies concerned by dual-use trade controls in designing an effective ICP.
EU law imposes substantive rules for the export of dual-use items, which are implemented and enforced at the member state level. Dual-use items are defined as all goods, including software and technology, which can be used for both civil and military purposes. The EU dual-use regulation establishes a regime for the control of exports of dual-use goods, technology, and software outside the European Union. In its current form, the dual-use regulation does not contain ICP requirements with which companies must comply. Article 12(2) provides that, when determining whether to grant a global export authorization, competent authorities must consider the application by the exporter of "proportionate and adequate means and procedures to ensure compliance" with the dual-use regulation and the terms of the license. As a result, member states may require ICP implementation for simplified procedures or otherwise take it into account in their enforcement activities.1
In the past couple of years, discussions on the modernization of the dual-use regulation included a proposal for the introduction of ICP requirements for global export authorizations and EU General Export Authorisation for intracompany transmission of software and technology. The discussion was enriched by common approaches and practices concerning ICPs by various member states, which helped map the current state of relevant authorities' expectations for businesses.
These elements resulted in the guidance, which provides for a framework to help exporters identify, manage, and mitigate risks associated with dual-use trade controls and ensure compliance with applicable laws. It also aims to help competent authorities in their assessment of risks when considering the issuance of individual, global, or national export licenses.
The guidance builds on existing approaches in export control compliance, including in the context of the Wassenaar Arrangement, the Nuclear Suppliers Group, the results of the fourth Wiesbaden Conference (2015), and the 2017 U.S. export control and related border security program ICP guide.
The guidance is not legally binding, but exporters' obligations and responsibilities stemming from the dual-use regulation are maintained.
The guidance takes into consideration the particularities of each exporter. As a result, the scope and extent of ICPs in companies depend on the size and commercial activities of the company, the strategic nature of the company's items, possible end-use/end-users, geographic presence of clients, and the complexity of internal export processes. In other words, ICPs must be tailor-made for each company, easy to understand and follow, and capture the day-to-day operations in the company.
In order to achieve this, the guidance recommends that companies hold a risk assessment before developing or reviewing their ICP, in order to determine their dual-use risk profile and identify relevant vulnerabilities. Such risk assessment should consider the product range, the customer base, and business activity that could be affected by dual-use controls. The establishment or review of the ICP should be based on the outcomes of such risk assessment.
Finally, the guidance clarifies that, if a company holds a valid Authorized Economic Operator authorization, the relevant assessment of its customs activities may be taken into account for developing or reviewing their ICP. In this context, the authorities' prior review in the customs area may prove valuable in determining certain aspects of the ICP, such as physical security and record keeping.
The core elements of an ICP
The guidance contains seven main elements that are deemed to be the cornerstones of an effective ICP and may be used by exporters for benchmarking their compliance approach. For each element, the guidance describes the relevant objectives and authorities' expectations ("What is expected?") and the steps necessary to reach these objectives ("What are the steps involved?").
The seven elements are not an exhaustive list and include the following:
- Top-level management commitment to compliance: Effective ICPs should be based on a top-down approach, through which management gives significance, legitimacy, and resources for the compliance commitments and overall culture in the company. This should be achieved through: (a) building compliance leadership; (b) drafting a written statement on internal compliance procedures; and (c) providing clear, strong, and continuous support to compliance.
- Organization structure, responsibilities, and resources: The implementation of compliance procedures relies on sufficient organizational, human, and technical resources. In this context, a clear organization structure and well-defined responsibilities contribute to minimizing oversights. This aspect should include: (a) written organizational structure identifying person(s) with the overall compliance responsibility; (b) well-defined roles and qualified personnel in relevant roles, protected from conflicts of interest and having the power to stop transactions that present risks; and (c) documented internal procedures (e.g., a compliance manual).
- Training and awareness-raising: Training is an essential aspect of ICPs, especially with respect to staff relevant to dual-use controls. Training may be conducted through external seminars, sessions by competent authorities, in-house training, or any other method. Importantly, training should be compulsory and regular for dual-use trade control staff, while all employees in a company must be aware of relevant risks and procedures.
- Transaction screening process and procedures: These procedures aim to collect and analyze relevant information to allow companies to determine whether a transaction involving dual-use items is controlled, and develop and maintain a standard of care for handling suspicious orders. Such processes and procedures concern the following elements: (a) products classification; (b) transaction risk assessment, including checks on sanctioned countries, screening of counterparties, diversion risks, and "catch-all controls"; (c) license determination and application; and (d) post-licensing compliance with the relevant license conditions.
- Performance review, audits, reporting, and corrective actions: This element refers to the review, test, and revision of ICPs and related internal measures at companies. It aims to ensure that the ICP is implemented in a manner consistent with applicable EU and member states' legislation and should include: (a) clear reporting procedures and escalation actions; (b) systematic, targeted, and documented audits; (c) control mechanisms as part of the daily operations; and (d) ways to ensure all employees feel comfortable reporting potential breaches, such as whistleblower policies and escalation procedures.
- Record-keeping and documentation: Comprehensive record-keeping systems are crucial in contributing to effective audits, compliance with national document retention requirements (the dual-use regulation provides for a minimum document retention period of three years), and facilitating cooperation with national authorities. Such systems should include procedures and guidelines for: (a) storing legal documents, (b) managing records, and (c) tracing dual-use related activities.
- Physical and information security: Dual-use items should be protected through appropriate security measures addressing risks of unauthorized removal or access thereto. Ensuring physical and information security is vital for complying with applicable rules.
The guidance also includes an annex of questions pertaining to a company's ICPs that may be useful for developing and updating ICPs. Finally, the guidance also contains a nonexhaustive list of "red flags" that warrant greater vigilance when detected in dual-use related transactions, pertaining to dual-use products, their end-use and end-users, the shipment process, and the financing conditions.
What changes for EU exporters?
The guidance aims to ensure that companies involved in the export of dual-use items have in place adequate and effective systems to track transactions, identify, and prevent potential risks, thus allowing compliance with applicable EU and national rules.
The guidance constitutes a compilation of past experiences and best practices identified in relevant export controls regimes worldwide. However, the current dual-use trade controls regime in the European Union does not change and exporters maintain their responsibility to comply with obligations under the dual-use regulation.
The guidance will contribute to crystallizing best practices in the area of export controls by setting the scene and appropriate benchmarks for EU companies when establishing their ICP.