It has been a busy summer for the U.S. Department of State's Directorate of Defense Trade Controls ("DDTC"). Since early June 2016, DDTC has announced changes that will affect International Traffic in Arms Regulations ("ITAR") compliance programs and enforcement actions. The changes include significant increases to the maximum civil penalties available for Arms Export Control Act ("AECA") violations, the publication of some—but not all—of the ITAR definitions being harmonized with those of the Export Administration Regulations ("EAR"), corresponding changes to the Guidelines for Preparing Agreements ("Agreement Guidelines"), and the release of draft forms expected to be used for license applications, registration changes, and voluntary disclosures of apparent violations.

Civil Penalty Inflation Adjustments

Pursuant to the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015[1] ("Inflation Adjustment Act"), the Department of State has announced mandatory inflation adjustments that, in some cases, more than double the civil monetary penalties for violations of the AECA.[2] Prior to the Inflation Adjustment Act, all AECA violations were subject to a maximum civil penalty of $500,000 per violation. After August 1, 2016 (regardless of when the violations actually occurred), DDTC may assess per violation penalties up to:

  • $1,094,010 for most AECA/ITAR violations;[3]
  • $946,805 for certain arms transactions with countries supporting acts of international terrorism;[4] and
  • $795,445 for making proscribed incentive payments in connection with offset contracts.[5]

The penalty revisions yield some interesting comparisons: (i) some civil penalties will now carry greater fines than the maximum monetary penalty for criminal violations ($1 million per violation); and (ii) sales of defense articles to comprehensively sanctioned countries supporting acts of international terrorism could result in lower civil penalties than registration violations or unauthorized exports involving NATO allies.

Importantly, DDTC has made clear that increasing the maximum civil penalties does not impede its discretion to impose a lower penalty when circumstances warrant.[6] The increased maximum penalties provide additional incentive to submit voluntary disclosures of potential violations to gain the benefit of the disclosure as a mitigating factor in DDTC's penalty analysis.

Revised ITAR Definitions

A key deliverable of the Export Control Reform initiative is definition harmonization between the ITAR and EAR. In June 2015, DDTC and the Bureau of Industry and Security ("BIS") laid out an ambitious collection of definitions to be revised and harmonized.[7] One year later, DDTC has published interim final rules revising the definition of "export," introducing new definitions for "release" and "retransfer," and adding sections related to the export of technical data and consolidating exemptions for the export of technical data.[8] These modest provisions appear to reflect DDTC's desire to publish those items that were ready for publication and postpone for later rulemaking issues still under consideration or discussion.

In one example that has narrowed potential liability for those who possess ITAR-controlled technical data, the interim final rule definition of "export" omits a significant element that had been introduced in the proposed rule. Under paragraph (a)(6) of the proposed rule,[9] an "export" would have included releasing information (such as decryption keys or passwords) to a foreign person that would merely allow access to technical data, regardless of whether the foreign person actually accessed that data. This provision would have codified in the ITAR the enforcement approach taken in the past that providing access to controlled technical data to foreign nationals could constitute a violation, even without an allegation of actual transfer of controlled technology to the foreign person. Although this provision may return in future rulemaking, for now an "export" occurs only if the foreign person actually views or accesses the technical data as a result of being provided such information or physical access.

Perhaps the most notable development of the interim final rule is what was not included. In their coordinated proposed rules in 2015, DDTC and BIS included express categories of activities excluded from the definition of an "export." In particular, these carve-outs would enable cloud computing of controlled technical data because the sending, taking, or storing of unclassified technical data or software that is secured using end-to-end encryption with cryptographic modules compliant with the Federal Information Processing Standards (FIPS) Publication 140-2 would be excluded from the definition of "export." Although BIS published its exclusion to the EAR definition of "export,"[10] ITAR-controlled technical data remains an export when crossing a border or being provided to a foreign person, even if encrypted. Therefore, unless DDTC later adds back this exclusion, companies using cloud computing services to receive, process, store, or send ITAR-controlled technical data can ensure compliance only by using a service provider that keeps the data on servers in the United States or by obtaining written authorization from DDTC.

The DDTC interim rule definitions also formally introduce the term "deemed export" to the ITAR. Although releasing ITAR-controlled technical data to foreign persons in the United States has generally been well understood to be an export requiring authorization from DDTC, the interim final rule harmonizes the term with its EAR counterpart—for the most part. One key difference that exporters must keep in mind is that DDTC and BIS continue to determine the nationality of those to whom deemed exports are made differently. For DDTC, a deemed export is considered to take place "to all countries in which the foreign person has held or holds citizenship or holds permanent residency," whereas BIS typically considers the last-in-time nationality.[11] Although a commenter on the proposed rule recommended harmonization of the rule to the BIS standard, DDTC expressly rejected that approach, stating that the "all countries" analysis was appropriate and in keeping with the main tenet of Export Control Reform that the ITAR will have "higher walls around fewer, more sensitive items."

DDTC issued these definitions as interim final rules to allow additional public comment prior to the effective date of September 1, 2016. We will continue to monitor these revisions to the definitions and report on any significant variations between the interim final rule and the final rule incorporated into the ITAR.

DDTC also published revision 4.4 to the Agreement Guidelines[12] to reflect the changes to the definitions. The revisions affect a number of sections throughout the Agreement Guidelines, including some mandatory verbatim clauses. Applicants need not submit amendments to their Technical Assistance Agreements, Manufacturing Licensing Agreements, or Warehouse and Distribution Agreements for the sole purpose of updating these statements, but all agreement and major amendment applications submitted after September 1, 2016, must include the new language.

DDTC Publishes Draft Data Collection Forms

In furtherance of the Single IT system goal of Export Control Reform, DDTC has acquired a new case management IT system to modernize its business processes. As a result, the current license application and approval forms (DSP-5, DSP-6, DSP-61, DSP-62, DSP-71, and DSP-74) will be superseded by an electronic form submission that will be known as the DSP-7788. The system will also implement form-based submissions for providing voluntary disclosure reports of AECA/ITAR violations (DSP-7787) and for notifying DDTC of material changes in registration information (DSP-7789), each of which are now submitted in general correspondence submissions. DDTC expects these forms to allow industry users and DDTC staff to better manage the submission and review process for applications and notifications to the government.

DDTC requires OMB approval for the data collection and the associated forms. We recommend registrants review the forms, especially the Form DSP-7788 Application/License for Defense Articles or Services, to assess the potential impact on the registrant's operations.[13]