The International Traffic in Arms Regulations (ITAR)1 now provides an exemption from licensing for intracompany transfers of unclassified defense articles (including technical data) by approved end-users and consignees (including authorized sublicensees) to their employees who are dual- and third-country nationals of proscribed countries.2  The exemption, 22 C.F.R. § 126.18, also requires that (1) the transfer take place within the country where the end-user is located, (2) the transfer be within the scope of the export authorization, and (3) the foreign end-user implement effective procedures to prevent diversion to proscribed countries.


Defense contractors and subcontractors often rely on component manufacturers or engineering teams throughout the world to fulfill a contract.  Therefore, cross-border transfers of defense articles (including technical data) are often necessary.  Such transfers, however, are subject to the strictest controls on export so as to ensure that U.S.-origin defense articles do not get diverted to countries or entities that pose a risk to our nation's security.  Therefore, the ITAR mandates that defense articles may be exported only pursuant to a Directorate of Defense Trade Controls (DDTC)-approved license (or exemption thereto), Technical Assistance Agreement, Manufacturing License Agreement, or Warehouse Distribution Agreement.

Prior to this week, effecting an intracompany transfer of unclassified defense articles to dual- and third-country national employees of an authorized foreign end-user was possible via an exemption from licensing.  That exemption, however, allowed a transfer solely to nationals of Australia, Japan, New Zealand, Switzerland and the member states of NATO and the European Union ("NATO +").3   If an intracompany transfer contemplated an employee who was not born in a NATO + country, such as an engineer who is a Chinese-born citizen of the United Kingdom, said employee was considered a dual national of the United Kingdom and China simply based on his or her place of birth.  Employees who are dual- and third-country nationals of embargoed countries, e.g., China, Venezuela, and Vietnam, could be denied employment on ITAR projects, because export authorization to those countries is subject to a policy of denial by the DDTC. 

To vet an employee's nationalities, a U.S. company would rely on the approved foreign entity to collect sensitive information (place of birth, country of current citizenship/nationality, adoption information) on the dual- and third-country national employee.  Thereafter, the foreign entity would release such information to the U.S. company so the latter may seek licenses that specifically identify the nationalities of dual- and third-country national employees who require access to defense articles. 

The foregoing resulted in the disparate treatment of employees based on their national origin (and the collection and reporting of their personal information).  Worse still, it directly conflicts with many home-country antidiscrimination, privacy, and human rights laws.  By extension, electing to comply with the ITAR triggered cumbersome administrative undertakings and, in some cases, exposed employers abroad to costly antidiscrimination and privacy violation claims.


According to the DDTC, the new exemption was designed to address concerns that previous requirements conflicted with certain foreign human rights laws and created a compliance burden.  As a threshold matter, intracompany transfers of unclassified defense articles (including technical data) to dual- and third-country nationals who are bona fide regular employees or long-term contractors directly employed or under contract by the foreign consignee or end-user are exempt from licensing so long as:

  1. the transfer takes place within the country where the end-user is located,  
  2. the transfer is within the scope of the export authorization, and
  3. the foreign end-user and consignee implement "effective procedures" to screen for diversion risk. 

The DDTC has identified two measures that may be considered "effective procedures":

  1. a security clearance approved by the host nation government for its employees; or
  2. a comprehensive screening mechanism for diversion risk. 

With regard to (2), the DDTC  presumes the following to constitute a risk of diversion to proscribed countries:

  • regular travel to those countries;
  • recent or continuing contact with agents, brokers, and nationals of those countries;
  • continued demonstrated allegiance to those countries;
  • maintenance of business relationships with persons from those countries;
  • maintenance of a residence in those countries;
  • receiving salary or other continuing monetary compensation from those countries; and
  • acts otherwise indicating a risk of diversion.

Aside from the foregoing, the end-user would need to implement a technology security/clearance plan, maintain records of screenings for five years, and require all relevant employees to execute a nondisclosure agreement.  It is helpful to review the DDTC's recent additional guidance regarding "effective procedures" and screening.4


The list of proscribed countries in 22 C.F.R. § 126.1 now includes over 25 countries.  Together, these countries account for roughly a quarter of the world's population. Chances are good that you will encounter a need to use the exemption.  In our view, the focus ought to be on the  "effective procedures"  requirements.  Specifically, does the foreign end-user have a security clearance from the home-country government? If  the answer is yes, the new exemption is very useful.  Otherwise, implementing the requisite comprehensive screening mechanism for diversion risk may be a very burdensome and risky undertaking.

Namely, the foreign end-user still retains the burden of culling, collecting, and transmitting sensitive information about its employees and thereby risks running afoul of home-country antidiscrimination, privacy, and human rights laws.  Likewise, because the U.S. exporter has no oversight of the foreign end-user's vetting practices, it ought to implement indemnifying assurances so as to guard against the risk that its defense articles and technical data are not diverted.