United States: Year End Review Of Export Control Issues

1. Dual-Use Export Control Developments

1.1 Proposed License Exception ICT for Intra-company Transfers.

The Bureau of Industry and Security (BIS) issued a proposed amendment to the Export Administration Regulations (EAR) to create a new License Exception ICT for companies to export, re-export, or transport (in-country) dual-use products such as software and technologies to and among their "wholly-owned or controlled-in-fact" non- U.S. entities and foreign national employees. 73 Fed. Reg. 57554 (October 3, 2008). Industry has long sought a broad, unfettered License Exception like ENC for intracompany transfer of encryption source code and technology for use and product development. However, in the view of most exporters, the form of the proposed rule that resulted from interagency review is very cumbersome and a License Exemption in name only.

To the extent that License Exception ICT applies, companies no longer need to obtain and maintain a multitude of individual licenses to meet the requirements of day-today intra-company transfers, including deemed exports to employees. This approach removes the burden of applying for, tracking and reporting on a number of single licenses and results in a streamlined exporting process for both those that successfully meet the ICT requirements and BIS. The proposed rule arises from years of proposals from many exporters and trade associations (including the Deemed Export Advisory Committee) that U.S.-based companies and those based in many allied nations should be considered trusted entities to handle exports among affiliates and employees without the need for licenses. Many companies today apply for more deemed and other intra-company export licenses to "talk to themselves" than they do to export to customers since their research and development technologies and source code are more likely to require licenses than end-products.

However, many will likely think that the burdens of applying for, obtaining, and maintaining the criteria to establish themselves as trusted enough for License Exception ICT will outweigh the benefits in its proposed form. This is more like the old Distribute License or Special Comprehensive License or Validated End-User (VEU) (or a security clearance) than any License Exception and seems to require that a company prove its innocence in its application, annual reports and audits rather than being considered a trusted end-user.

First, a company must apply for authorization to use License Exception ICT, a requirement only associated with License Exception ENC for products. The "parent" company applicant must be incorporated or have its principal place of business in a country listed in proposed new Settlement No. 4 to EAR Part 740.¹ The application must provide details on the applicant and each eligible wholly-owned or controlled-in-fact "user" and "recipient," which can be in any country except Country Group E or North Korea. The intended difference, if any, between a "user" and a "recipient" is not clear. Presumably, some users and recipients may not be approved.

Experts will need to list Export Control Classification Numbers (ECCN) to be covered and likely negotiate their application with BIS and other reviewing agencies. Note that exports that would not qualify for License Exception under EAR 740.2, including Missile Technology controlled and certain "space qualified" items (ECCN5 3A001.b.8, 3D001, 3E001, 6A002.e, 6A008.j.1, 6A998.b, 6D001, 6D002, 6D991, 6E001, 6E002, 6E101, 6E99l), ECCNs 2A983, 2D983, or 2E983, or QRS-1 1 Micro-machined angular rate sensors, could not be exported under License Exception ICT. Significant Items-controlled ECCNs also cannot be exported under ICT. License Exception APR cannot be used to authorize re-exports that otherwise would be authorized, which is not the case for licensed exports. Also, encryption items controlled under ECCNs 5X002 cannot be exported and re-exported under ICT, mainly because License Exception ENC permits the vast majority of such exports with far fewer restrictions (exception for companies headquartered in Argentina or South Korea). Finally, the preamble reminds exporters that foreign direct products of U.S. origin technology or software may be subject to license requirements under General Prohibition 3. (We have extensive guidance on that subject for those clients who desire more information. It rarely applies anymore, but clients should approach application with caution. Regulators have discussed making the Prohibition more restrictive).

Items exported may be only for internal use. Any re-export or retransfer must be authorized by another License Exception (other than APR), NLR, or a license.

Companies need to create and include in their application an extensive internal control plan covering technology and other applicable exports to even be considered for the exception. Each affiliate "user" of ICT must adopt the compliance plan. The plan described in EAR proposed 740.19(d) consists of nine parts, including a corporate commitment to export compliance, a physical security plan, information security plan, personnel screening procedures, training and awareness program, self-evaluation program, letter of assurance for software and technology, employee signing of nondisclosure agreements addressing export controls, and a review of end-user lists. The complexity of such plans varies with the types of products exported, where they are exported and the type of end user. Evidence of implementation of the screening, training, and self evaluation elements of the plan must be submitted. BIS may require vision of the plan before authorizing the use of ICT. Many exporters have comprehensive export compliance programs that will meet most of these criteria, but the depth of the criteria for License Exception ICT goes beyond standard Export Management systems. For example, the proposed rule says that any deficiencies uncovered in self evaluations must be voluntarily disclosed; otherwise, the ICT authorization could be revoked.

The application review process is the same as for an export license, involving other agencies and the normal dispute resolution procedures. The agencies will consider prior licensing history to determine whether they believe ICT is needed, including the requested ECCNs (which obviously will change with a dynamic company), and will also consider prior violations and other negative issues in deciding whether and to what extent to approve the plan.

Once License Exception ICT authorization is approved, companies are not in the clear. Annual reports must be submitted to BIS. The reports must include a detailed list of all foreign national employees, including name and birth dates (which will likely cause problems under EU and other privacy laws), and who received what items (including technologies or source codes) under ICT. Companies must also submit new entity information and changes in information submitted before continuing to use ICT for such entities.

Many companies are now running cost benefit analyses to figure out the detriment this annual reporting alone will cause compared to the existing process. The final verdict is still unknown due to the vague descriptiveness of the rule pertaining to this list. If, for instance, a company must list all previous recipients of technology and source code prior to receiving the license in the first place, as well as identify the specific technologies received by specific foreign nationals in the annual reports, the costs could far outweigh the benefits.

In addition to this rigorous requirement, companies must undergo an audit by BIS biannually if there are any reasons suggest wrongdoing. In this scenario the audit is a BIS initiative. The outcome of such audits will be interesting. As the proposed rule stands, there are very few clear lines to determine what is acceptable to meet ICT internal control program standards and what is not. Those who operated with the old Distribution License recall that inexperienced auditors sometimes substituted their own judgment for what types of procedures were acceptable. One auditor might suspend a company whereas another might not. Most government auditors are experienced and reasonable. Nevertheless, this is a heavier burden to impose on exports among supposedly trusted parties than what is currently imposed on most licensed exports to third parties.

BIS performed its own cost-benefit analysis and determined that approximately 200 companies applied for licenses that fell under the umbrella of ICT. Of these companies, BIS determined that only 17 would benefit from License Exception ICT. The majority of these companies, in the eyes of the BIS, have already established and implemented strong internal control programs. Only two companies without internal control programs in place surpassed the cost benefit threshold. The cost of constructing an internal control program that meets these standards, for most companies, is more expensive and time consuming than simply applying for licenses. Therefore, the amount of time and effort to pass the proposed rule appears to exceed the gains that only a handful of companies would reap.

Footnote

1 Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, German, Greece, Hungary, Iceland, Ireland, Italy, Japan, South Korea, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey, United Kingdom, United States. (This is the same list as Supp. 3 for License Exception ENC, with the addition of Argentina and South Korea. Let's recommend adding them to Supp. 3 and just have one list.

To read this article in full, go to: http://www.bakerdonelson.com/ContentWide.aspx?NodeID=200&PublicationID=552

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.