The recent export enforcement action involving United Technologies Corp. offers exporters many lessons in export compliance, and demonstrates how even seemingly well-prepared export compliance programs are vulnerable to failure. This case involved multiple subsidiaries and divisions of United Technologies, including Hamilton Sundstrand Corp., Sikorsky Aircraft Corp. Derco Aerospace, Inc., Kidde Technologies, Inc., Pratt & Whitney Rocketdyne, Pratt & Whitney U.S., and Pratt & Whitney Canada.
United Technologies was charged with 576 violations of the International Traffic in Arms Regulations (ITAR) in connection with the unauthorized export and transfer of defense articles, and the unauthorized provision of defense services to multiple countries over a number of years. A brief description of the charges levied by the Directorate of Defense Trade Controls (DDTC) are as follows:
- 13 charges: Hamilton Sundstrand exported electronic engine control software specifically modified for use in military helicopters to Pratt & Whitney Canada without a license.
- 11 charges: Pratt & Whitney Canada re-exported the engine control software to China.
- 1 charge: Hamilton Sundstrand failed to file the required export information for the shipment of an ITAR-controlled defense article to Canada.
- 1 charge: Failure to notify DDTC of the United Technologies' knowledge of the sale or transfer of a defense article to a proscribed country.
- 58 charges: Hamilton Sundstrand exported to multiple countries defense articles incorrectly determined to be not subject to the ITAR.
- 1 charge: Export of a defense article to a Venezuelan military end-user.
- 51 charges: Pratt & Whitney U.S. exported technical data and automation tools to an Indian company and its contract engineers without a license.
- 1 charge: Hamilton Sundstrand exported a laptop containing technical data to China without a license.
- 437 charges: Failure to abide by the substantive and administrative terms and conditions associated with DDTC-approved Technical Assistance Agreements (TAAs), Manufacturing Licensing Agreements (MLAs) and Warehousing Distribution Agreements (WDAs).
- 2 charges: Kidde Technologies exported defense articles to Singapore without a license.
Additionally, Pratt & Whitney Canada pleaded guilty to two of three criminal charges, including willfully exporting defense articles without a license in violation of Arms Export Control Act, and making false statements to DDTC.
United Technologies received a civil penalty of $55 million, as well as the statutory debarment of Pratt & Whitney Canada. United Technologies also agreed to rigorous compliance and remedial measures. Finally, the company also agreed to pay more than $20 million in civil penalties in a deferred prosecution agreement with the Department of Justice.
What Went Wrong?
In its charging letter, DDTC noted that it had considered United Technologies' voluntary disclosures and remedial compliance measures as significant mitigating factors, but due to the harm to national security and the systemic, longstanding and repeated nature of the violations, charged the company with 576 violations. The charges were gleaned from numerous transactions and unauthorized activity committed by United Technologies subsidiaries over the past six years, stemming from both bad actors and insufficient compliance oversight.
For example, on several occasions, Hamilton Sundstrand exported electronic engine controls it manufactured to Pratt & Whitney Canada. Pratt & Whitney Canada subsequently re-exported the engine controls to China. Even after both companies became aware of the export control issues present in re-exporting the engine controls for a military end-use in China, Pratt & Whitney Canada continued to export the engine controls to China. In 2006, United Technologies first disclosed the unauthorized exports and re-exports of the engine controls. In its charging letter, DDTC noted that the 2006 disclosure was not submitted until two and a half years after Pratt & Whitney Canada and Hamilton Sundstrand became aware of the Chinese military end-use.
After the 2006 disclosure discussed above, United Technologies conducted a review of Pratt & Whitney Canada and Hamilton Sundstrand products during which it discovered additional unauthorized exports and re-exports stemming from the misclassification of ITAR-controlled items.
In another example, after the 2006 disclosure, Hamilton Sundstrand submitted a separate disclosure reporting that it had incorrectly classified 261 items as not subject to the ITAR, and had exported those items and related technical data on more than 800 occasions. In several other instances, Pratt & Whitney Canada, Hamilton Sundstrand and other company subsidiaries did not report or disclose violations until a year or more after the violations were discovered.
In 2008, a Pratt & Whitney U.S. review of technology control plans revealed that 51 ITAR-controlled technical data documents, including some designated as SME, were accessed without authorization by Indian engineers, both abroad and in the U.S. Further reviews revealed extensive additional opportunities for unauthorized access to controlled technical data. The DDTC could not determine the exact scope of the violations due to Pratt &Whitney U.S.’s inability to record and track forensic evidence related to the data access. Pratt & Whitney Canada similarly disclosed violations involving the unauthorized access by foreign nationals to numerous ITAR-controlled drawings on the company’s intranet system. Again, in most instances, the violations were not disclosed until a significant length of time had passed since the initial discovery.
The failure to comply with DDTC-approved agreements, such as TAAs, MLAs and WDAs, made up a significant number of the violations charged. Company entities, such as Pratt & Whitney U.S., committed extensive violations of the DDTC-approved agreements. Examples include exceeding the scope of a TAA by providing training on engine design, development and production; exceeding the scope of several MLAs by engaging in the unauthorized manufacture of engine forgings, the unauthorized provision of defense services, and the unauthorized re-transfers of technical data and defense services to sublicensees; and exceeding the value of three MLAs by $35 million. Other issues included additional unauthorized transfers and unauthorized foreign national access to unauthorized persons, including by foreign licensees, IT subcontractors and unauthorized employees.
Hamilton Sundstrand acknowledged that “it failed to manage its agreements properly and to keep adequate records of its ITAR-controlled activities.” The failures were attributed to “a lack of clear compliance processes and adequate IT systems, due in turn to inadequate resources for compliance.”
Compliance Program Lessons
According to DDTC, United Technologies, through its various subsidiaries, submitted multiple disclosures during the past several years with a broad spectrum of corrective and remedial measures to be implemented. Yet violations continued to occur, ultimately leading to this enforcement action. Below, we discuss a sample of the export compliance lessons to be learned from the case.
One of the most deceptively simple lessons is the importance of transparency into the activities of a company’s subsidiaries or other entities, combined with “top down” support from company executives and upper level management. The phrase “deceptively simple” is appropriate here because, while the concept is simple in theory, obtaining this support is often difficult for trade compliance departments. Trade compliance receives neither the attention nor the support granted to company functions such as sales or research and development. However, both transparency and “top down” commitment are necessary for an effective compliance program.
While this is often regarded as the least definable component of an effective compliance program, it is one of the most important, and touches on every aspect of trade compliance. Commitment from the top is needed to recognize and communicate the importance of trade compliance throughout all levels of a company, earmark adequate resources, run a trade compliance program, and remain receptive to the fact that an effective compliance program is organic and evolving. Similarly, “top down” support is necessary to allow trade compliance to have the level of visibility and transparency needed to effectively prevent violations from occurring, whether at the hands of “bad actors” or merely through a compliance oversight.
The importance of the proper classification and tracking of ITAR-controlled items and agreements cannot be overemphasized. Compliance with U.S. export regulation is predicated on the proper classification of the item or technology at issue. As shown above, many of the violations in the United Technologies case resulted from the incorrect classification of defense articles. The proper marking or identification of ITAR items is equally as important. How are you identifying physical products as ITAR-controlled? Are they stored in a separate area, tagged or otherwise designated as ITAR-controlled, or are they commingled with non-ITAR products? How are you storing and identifying ITAR-controlled technology maintained electronically? Any one of these questions, for which a proper procedure doesn’t exist, may lead to inadvertent violations.
The prevalence of electronic exchanges of ITAR-controlled technical data also presents unique concerns. Many companies have procedures to ensure that emails containing ITAR-controlled technical data are designated as such, or that technical data is stored in ITAR-designated folders on the company’s server or intranet. However, many companies aren't equipped to identify when this electronic technical data is accessed without authorization. Not only does this create potentially dangerous holes in a compliance program, it can make a full and accurate disclosure to DDTC extremely difficult, as the company is left without the ability to measure or quantify the type and level of unauthorized access.
The management of activities authorized under DDTC-approved agreements is critical as well. We frequently see companies inadequately prepared to deal with the complexities of tracking and calculating the items, technology and services exchanged under an approved agreement. No “one size fits all” methodology for tracking and depreciating against these agreements exists; rather, a successful approach must be tailored to the specific activities authorized in the agreement. The scope of an approved agreement is commonly exceeded in two ways: by value and by the scope of access to technology permitted. It is easy to understand how an agreement may be exceeded in value, for example, if goods are manufactured to a value in excess of that approved under an agreement. It becomes more complicated, especially if an effective method of depreciating against the agreement doesn’t exist from the outset, to track and value the services performed or rendered under an agreement. Similarly, the scope of access to controlled technology approved under an agreement is also often exceeded. Multiple variables can account for the difficulty in managing this aspect of an approved agreement, including employee turnover within your foreign subsidiary or business partner, poor IT control over controlled technology abroad, lack of training and understanding within your foreign subsidiary or partner regarding the permissible release and sharing of controlled technology, and any contractors or outsourced functions of your foreign partner.
Additionally, it is worth noting that even if a method of tracking the products and services exchanged under an approved agreement exists, the scope of the agreement may still be easily exceeded if both the U.S. and foreign parties to the agreement are not trained on the specific parameters of the agreement.