Managing international compliance risks

The application of U.S. export controls to aerospace companies has a long and contentious history. The placement of bombers, fighters, and other military aircraft within the coverage of the stringent International Traffic in Arms Regulations (ITAR) is not controversial. But many aerospace companies have chafed at the application of the ITAR to products that they view as primarily having civil use, such as certain aeronautic guidance equipment or components only slightly modified in form or fit to meet military specifications.

Many aerospace companies have warned that the application of strict export controls is driving manufacturing offshore, as non-U.S. companies take advantage of being outside the direct oversight of U.S. regulators. Some non-U.S. companies go so far as to omit U.S.-origin components from their products so that they can advertise their products as ITAR free, allowing them to be sold without the substantial compliance costs imposed by U.S. export controls. American aerospace businesses long have warned that the U.S. export controls are imposing a substantial burden on the operation of the industry.

These concerns have multiplied in recent years as the U.S. government has ramped up enforcement of the ITAR and the Export Administration Regulations (EAR), with the latter regulating the sale of dual-use/commercial products, including civil aircraft, their parts, and components. The ability of the government to impose substantial penalties is demonstrated by the $75 million fine on United Technologies Corp. in 2012 for 576 ITAR violations and violations of the Foreign Corrupt Practices Act (FCPA), which forbids bribery of foreign government officials. In 2011, U.K.-based BAE Systems PLC agreed to pay a $400 million penalty for ITAR and FCPA violations.

Beyond the headline-grabbing large penalties, a close look at enforcement actions shows that there are seven trends of concern for an aerospace corporation subject to U.S. jurisdiction:

• Increasing enforcement by the U.S. government of laws that apply to international transactions
• Increasing willingness to resort to criminal indictments rather than civil penalties
• Growing fines
• Growing use of specialized enforcement resources, including dedicated FBI agents with detailed knowledge of U.S. regulations governing exports and international conduct
• Increasing national and international inter-agency cooperation
• Simultaneous enforcement of separate laws regulating exports and the activities of U.S. persons abroad, such as the FCPA and economic sanctions imposed by the Office of Foreign Assets Control (OFAC)
• Increasing targeting of individuals, including through attempts to impose large penalties and jail time.

Complicating the compliance calculus, the ground rules have recently changed. As part of an effort designed to “build higher walls around fewer items,” the export control authorities have engaged in a top-to-bottom rewrite of the ITAR and the EAR. Initial hopes that this reform would sharply diminish the compliance responsibilities of aerospace companies largely have been dashed.

Although many aerospace defense articles, parts, and components have moved from the ITAR to the EAR as a result of this review, in many cases they were placed within the new 600 series of the EAR. This series, composed largely of former ITAR items, is almost as tightly controlled as articles on the ITAR. Although the placement of these items on the EAR may open up new sales opportunities, from a compliance perspective these standards differ little from those required under the ITAR. Because companies now need to systematically review their entire production lines to determine the appropriate set of export controls to apply, export controls reform has instead increased the compliance responsibilities for many aerospace defense contractors.

The difficulties of complying with the ITAR and the EAR are complicated by the coverage of technical data that relates to the development, manufacture, maintenance, and service of controlled defense articles and dual-use goods. Under both the ITAR and the EAR, the release of controlled technical data to a non-U.S. national is “deemed” an export.

Aerospace companies need to pay special attention to these “deemed export” rules. Under them, any transfer of goods to someone other than a U.S. citizen or permanent resident is deemed to be an export to that individual’s home country, even if the technical data is physically located in the United States. Where controlled technical data is involved, companies must take special pains to ensure that non-U.S. persons cannot access any computer network that contains controlled technical data.

Because the U.S. Commerce and State Departments consider the ability to access controlled technical data to be a violation (even if the non-U.S. person does not actually do so), special controls are necessary whenever such access is even a theoretical possibility. With the vast amount of technical data found at many aerospace companies, the need to comply with these “deemed export” rules is particularly daunting.

Similar regulatory issues may arise because aerospace research and development – as well as the manufacture of products – often involve sophisticated equipment controlled under the EAR or the ITAR. This means that the equipment itself can be subject to export controls and that teaching a non-U.S. national how to operate the equipment can violate the rules. Use of such equipment to make ITAR- or EAR-controlled articles or goods would also directly implicate export control requirements. Under these conditions, companies engaged in sophisticated aerospace manufacturing must consider restrictions on giving non-U.S. persons access to, training about, or producing goods with sophisticated equipment or sharing any associated technical data.

Continuing U.S. jurisdiction over American-made goods also poses compliance challenges. U.S. companies often rely on foreign partners and affiliates to engage in added aerospace manufacturing of their products. Under the EAR, the U.S. government regulates all U.S.-origin products, even when the products are incorporated into downstream products produced outside the country. Under the relevant de minimis standards, this includes any goods with more than 10% U.S. content for embargoed destinations and 25% U.S. content for all other countries. ITAR standards are even stricter. Because these regulations control military goods, the incorporation of even a single ITAR-controlled item subjects the entire downstream product to U.S. jurisdiction.

Other U.S. laws governing international conduct pose further complications. The application of the FCPA remains a problem for any company operating abroad, but its bite is particularly hard for aerospace companies that frequently deal with government officials. Such contact can occur in both a regulatory and a procurement context. Further, since the Department of Justice considers any person who works for a state-owned entity, such as a state-owned airline, to be a government official, the risk points for FCPA violations are particularly great for the aerospace industry.

As the BAE and United Technology settlements illustrate, once the U.S. government is in an enforcement posture, it looks broadly for violations of the many laws governing international conduct.

Also of concern are the increasingly strict rules regarding dealings with sanctioned countries, governments, and persons designated as being associated with terrorism, proliferation of weapons of mass destruction and narcotics, undermining human rights, and other acts considered to be contrary to U.S. foreign policy. These OFAC sanctions are intended to work hand-in-hand with U.S. export controls and can result in significant penalties that have in some cases run into billions of dollars.

At the time of publication, the U.S. government reportedly was considering imposing the first $10 billion economic sanctions penalty against a French bank, BNP Paribas. Although the economic sanctions violations supposedly at issue had nothing to do with the aerospace industry, the potential imposition of such a large fine reveals the full extent to which the U.S. government is willing to use these laws as a means of policing international conduct.

All of these compliance difficulties are multiplied due to the global nature of the aerospace industry. Aerospace manufacturing using joint ventures, affiliates, and partners located worldwide can lead to difficulties in monitoring the actions of foreign persons who may be engaged in violations of U.S. laws with extra-territorial effect, including anti-bribery, export controls, OFAC economic sanctions, and anti-boycott regulations. Foreign partners and customers implicate the U.S. government’s “know-your-partner” and “know-your-customer” expectations, as well as prohibitions on Americans dealing with persons engaged in bribery or trade with embargoed persons. When such violations occur, it can be difficult to convince regulators that the U.S. company was not involved in the conduct at issue or should not, at a minimum, be considered to have knowledge because it did not exercise sufficient oversight over the arrangement or conduct enough due diligence.

With these issues in mind, aerospace companies should carefully monitor the export controls implications associated with their new production paradigms. For aerospace companies that are engaged in global production, operate abroad, or sell abroad, the key compliance considerations will likely include the following:

Conducting a classification review: It is impossible to have effective compliance unless the company has precisely catalogued the goods, technology, software, technical data, research equipment, and production equipment that are subject to ITAR and EAR control. Unless this is known, the company risks treating controlled goods, software, and technical data as if they were not subject to controls. The dangers are particularly great with regard to technical data, which can become mixed with normal corporate data if it is not identified at the outset as information that needs to be segregated.

Once such information is mixed in the vast amounts of commercial data maintained by most aerospace companies, it can become a Herculean task to find such data and pull it into special databases and servers designed to segregate it from any non-U.S. nationals who have access to the general corporate network. Because of the difference in how controlled items (generally not exportable unless a license is secured, particularly under the ITAR) and non-controlled items (generally exportable to most countries) are treated, no export controls compliance policy can be effective unless the company has conducted a thorough classification review.

Performing a global risk assessment: The key to effective compliance is identifying and controlling risk. Each company’s risk profile will vary depending on how the company does business, its customer base, its sales practices, where it operates, its business culture, and other issues unique to the organization. Key issues to evaluate include the types of products sold (with sales of controlled goods increasing risk), the ways in which the organization conducts business (with the use of distributors and third parties increasing risk), and the countries where it sells and operates (with countries with a reputation for corruption or export diversion increasing risk). Other factors that bear on a company’s risk profile include its compliance history, the potential application of local law, the industry at issue, and whether it appears to be a target of U.S. government enforcement action. The performance of a global risk assessment, covering export controls, economic sanctions, the FCPA, antiboycott, international antitrust, and other high-risk laws likely applying to the company should be the driver of compliance efforts for most aerospace companies.

One thing to remember is that conducting a risk assessment can lead to the discovery of potential regulatory violations. The company should have the risk-assessment process conducted in a way that stresses confidentiality. If possible, an attorney should oversee the process, so the exercise can be conducted with attorney-client privilege. Doing so could be important if the investigation uncovers evidence of apparent violations.

Surveying current controls: After assessing the organization’s risk profile, the next step is to determine whether its existing compliance measures adequately anticipate and mitigate that exposure. Even state-of-the-art compliance measures can grow stale in light of changing products, production, and sales – or with new regulations and enforcement trends. Common lapses include the failure to translate compliance measures into local languages, train relevant personnel, or update materials to reflect changes in the laws (especially for often-changing economic sanctions). Other failure points may involve inadequate compliance oversight, insufficient due diligence, and underfunding of compliance initiatives. Any gap between identified risks and existing controls should be remedied.

Reviewing training: The U.S. government has little patience with paper compliance programs. Compliance requires proper training to be effective. Common training problems include overlooking necessary personnel, irregular or inadequate training, neglecting new changes in the laws, and failing to tailor training to the organization’s risk profile, business culture, and ways of doing business.

Monitoring red flags: Suspicious circumstances that indicate a potential compliance lapse or violation of law are an important aspect of any compliance program. This need is especially pronounced in the areas of export controls and the FCPA, where educating the workforce regarding potentially suspect situations is one of the best risk-management tools. Lists of common red flags for export controls, economic sanctions, FCPA, and anti-boycott laws are available by contacting the author.

Reviewing information flows: In the export controls context, it is easy for organizations to emphasize the flow of goods over the flow of information. Yet the deemed-export rule requires organizations pay equal attention to both. Common compliance lapses include the failure to monitor the flow of controlled technical data within the United States, the sharing of information among affiliates and business partners, cross-fertilization of general company databases and controlled databases (which allows employees to easily bypass security communication protocols), and the use of email as a means of circumventing compliance protocols on sharing controlled technical data.

Managing licenses and approvals: It is common for aerospace companies to have extensive licenses under both the EAR and the ITAR. Often these licenses have terms and conditions (provisos) that require careful monitoring, such as limitations on their operation or dollar or quantity value limits. OFAC licenses often are issued with annual reporting obligations and sharp restrictions on how payments can be accomplished for licensed activity. Companies with licenses outstanding need to designate a person who is in charge of monitoring the operation of the licenses and complying with any conditions attached to them.

Compliance audits: At any company, there is a tendency of compliance to go on auto-pilot. Audits are intended to combat this tendency, by confirming that compliance in the field is operating as intended by headquarters. Although periodic compliance audits are always a good idea, in contexts where businesses change their production, sales, and export patterns, they can be especially important. Once new compliance measures and internal controls are implemented, the necessary next step is to determine whether the new procedures are being implemented as envisioned. The only way to accomplish this goal is through regular compliance audits and evaluations.

A final risk is a company’s tendency to focus its attention on U.S. operations while neglecting the foreign operations that may still present relevant risks. The U.S. government is extremely innovative when it comes to exerting it jurisdiction abroad. It has rules regarding U.S.-origin goods, U.S. persons, and the U.S. financial system, as well as the aggressive use of facilitation and agency theories. All of the measures outlined here should be implemented across the organization, so that the company can allocate its scarce compliance resources globally in the manner most likely to yield the greatest compliance payoff.

Because of the complicated nature of compliance under these laws, full coverage of the types of compliance needed for aerospace companies is not possible within the space of this article. A full international compliance guide that extensively covers compliance with all of the high-risk regulations of exports and international conduct is available by contacting the author.

It is impossible to eliminate all risk, whether in the aerospace industry or otherwise. But by recognizing the potential impact of international regulations, companies can take steps to identify and manage the risks across the organization, thereby minimizing the risk that they could be subject to the same enforcement actions that have ensnared some of the best known aerospace companies.

Foley & Lardner
www.foley.com

About the author: Greg Husisian is a partner in international law firm Foley & Lardner’s Washington D.C. office and a leader of the firm’s Legal Innovation Hub for manufacturers. He can be reached at 202.945.6149 or by email at ghusisian@foley.com.