47b7872e0d50107b623f75adf771212a.ppt
- Количество слайдов: 60
Export Controls: In the Trenches: Hands-On Approach to Export Compliance NCURA REGION VI & VII 2011 SPRING MEETING APRIL 3 - 6, 2011
Presentation Overview Presenters: Kay Ellis Export Compliance Program Licenses and Other Requests Adilia Koch Technology Control Plans Recordkeeping Voluntary Disclosures
Export Compliance: “Preventing violations” KEEPING YOUR CAMPUS COMPLIANT
Develop an Export Compliance Management Plan Risk Assessment – Where are the high risk areas? Shipping Procurement Sponsored Research Specific colleges/units Develop “best practices” and tools Checklists NDAs, MTAs File for licenses and exemptions Technology Control Plans (TCPs) Manual Training Maintain export control website Recordkeeping
Managing export controlled research Assuming you can’t negotiate out the restrictive clauses - how do you manage the export controlled project?
Determining the need for a license (Export Controls Review) Questions to Ask: What is the nationality of researchers INCLUDING Professors and Research Assistants (grad students/post-docs)? Will the researcher or grad student be receiving restricted information? Is it EAR controlled? Is it ITAR controlled?
Determining the need for a license (Export Controls Review) Questions to Ask: Is the project strictly defense-related? If it’s ITAR, will the foreign national grad student need to discuss the data with the sponsor? Destination: Is the research technology or goods going overseas to a foreign company, government or individual? Does the PI want to take the technology/equipment/data with him or her?
Determining the need for a license Steps to Take: Determine if license is needed for the technology/end user/end use Determine if license exemption or exception is available
1. Do I need to be concerned about export controls in this research? Public domain, and a) No equipment, encrypted software, listed-controlled chemicals, bio-agents or toxins, or other restricted technologies are involved, and b) Information/software is already published, and c) 2. 1. 2. 3. There is no contractual restriction on export, or Equipment or encrypted software is involved, or Technology is not in the public domain, and Technology may be exposed to foreign nations (even on campus) or foreign travel is involved, and a) The equipment, software or technology is on the Commerce Control List, or b) Fundamental Research (note definitions and caveats associated with this exemption) Information or instruction is provided about software, technology, or equipment on the CCL, or c) 4. The foreign nationals are from or the travel is to an embargoed country The contract has terms e. g. a publication restriction that effect the Fundamental Research Exemption Probably NO 1. 2. Equipment, software, chemical, bio-agent, or technology is on the US Munitions List (ITAR), or Equipment, software, chemical, bio-agent or technology is designed or modified for military use, use in outer space, or there is reason to know it will be used for or in weapons of mass destruction, or 3. Chemicals, bio-agents or toxins on the Commerce Control List are involved, or 4. The contract contains a restriction on export or access by foreign nationals (further review is required) YES License May Be Required License Will Be Required 9
Determining the need for a license If no exceptions or exemptions, determine what kind of license is needed • EAR • ITAR • OFAC
What next? ! Next steps: Get a license Set up a Technology Control Plan Train the project personnel Audit the Plan Keep records
Register first! If ITAR - must be registered with State (DDTC) http: //www. pmddtc. state. gov/registration/index. html $2250 flat fee for first-time users and universities or organizations not subject to taxation Need a digital certificate License submitted through D-Trade If EAR – must register with Commerce (BIS) Free! http: //www. bis. doc. gov/snap/pinsnapr. htm If OFAC – no registration necessary
Bureau of Industry & Security(BIS): SNAP-R licenses Deemed Export License (BIS 748 P-B) Licenses are required for release of controlled technology or software to a foreign national only if a license is required for the export of such items to the home country. Commodity Classification Review the Commerce Control List (Part 774 Supplement 1) to identify (approximately) the ECCN or ECCNs that seem to be appropriate. Try to describe your item/technology in the control parameters used in the CCL entries. Shipping license (BIS 748 P-A) http: //www. bis. doc. gov/snap/index. htm
Submitting an OFAC license No required form – provide a detailed description of proposed transaction, including names and addresses of all involved States in the license records shall be made available upon demand for at least 5 years Call Licensing Div. (202) 622 -2480 or Compliance Div. (202) 622 -2490 for status http: //www. treasury. gov/about/organizationalstructure/offices/Pages/Office-of-Foreign-Assets-Control. aspx
Most Commonly Used ITAR Forms and Agreements DSP-5 License for permanent export of unclassified defense articles and related unclassified technical data License foreign employees/students “Vehicle” for online submission of TAA Technical Assistance Agreement (TAA) an agreement for the performance of a defense service(s) or disclosure of technical data
Most Commonly Used ITAR Forms and Agreements DSP-83 Nontransfer and Use Certificate required for export of significant military equipment (SME) and classified articles/data DSP-73 License for Temporary Export of Unclassified Defense Articles Commodity Jurisdiction (CJ) – Purpose is to determine whether an item or service is covered by the U. S. Munitions List (USML)
Commodity Jurisdiction (CJ) Requests: “What to do when you don’t know what to do” ONLY STATE CAN DETERMINE JURISDICTION
EAR or ITAR? Need to go to the authority - State Department has sole authority not the PI not the Sponsor not Do. D not Commerce You do not need to be registered with State to submit a CJ
Before you start writing… Ask yourself the 3 most obvious questions Who is funding the project? (Do. D? NASA? NIH? ) What is the intended end-use? (Military? Commercial? Both? ) What is the actual technology involved? (Surveillance? Space? )
Then ask yourself these… Does the item or technology have predominant military, space or intelligence application? Was it designed, manufactured or tested to meet military or commercial specifications? What is the current predominant application? Does it have performance equivalent (in form, fit and function) to an item used for civil application? Is there sufficient justification for Commerce or State Department jurisdiction?
If it looks like a duck… The CJ process is there to use when there is doubt about a technology’s or commodity’s jurisdiction When writing a CJ, you’re usually trying to argue your item is not subject to the ITAR CJs take time to write and even more time to process Don’t waste time on a CJ if there is no doubt your project is controlled under the ITAR and you have no justification for reconsideration If the intended end-use is for a military application, there is no doubt – it’s ITAR-controlled
And it sounds like a duck… Follow your instincts Don’t believe everything PIs tell you no matter how confidently or definitively they state it Most PIs, unless they’ve worked in industry, are not experienced with or savvy about these regulations – high level of naiveté Dig for information, ask lots of questions Ask them again and again
Some assertions I’ve heard…. “This (satellite) information can’t be ITAR-controlled to Japan – they’re a peace-loving nation. They are our allies. ” “DHS doesn’t fund ITAR-controlled work because DHS is a civilian law enforcement agency. ” “We can’t call it ITAR because we don’t know the end use. The sponsor won’t tell us because it’s classified. ” “I have a document marked ‘ITAR-controlled’ but it’s also marked ‘uncontrolled when printed. ’ I have a printed copy so I guess it’s not export-controlled. ”
It is a duck Prime is Do. D Sponsor won’t tell you which agency within Do. D Contract terms and conditions contain restrictions on publication and participation of foreign nationals Statement of Work asserts “innovative and advanced research” End-use is for a military application It’s an ITAR duck
Doubt arises when… The sponsor’s determination differs from yours You’re modifying a defense article substantially for a commercial purpose* You are collaborating with another university that is treating the project differently You request a classification or a license from BIS and they advise you to submit a CJ *If you’re modifying an item for a military purpose, it’s ITAR-controlled.
Tips on writing CJs Include as much information as possible PI or technical staff must participate in writing the CJ – they need to explain the technology clearly Try to anticipate questions Don’t try to fudge Predominant means most of the time Identical means exactly the same Modified means modified – no matter how insignificant the change may seem
Tips on writing CJs Two legitimate arguments: Your commodity is not a defense article and is not on the USML Your commodity was a defense article but has been modified so it no longer has military application Tell them how you think it should be classified, e. g. Dual-use, EAR 99, ECCN 3 A 992, etc.
Tips on writing CJs Follow the Guidelines – these are not in the regulations – they are online see: http: //www. pmddtc. state. gov/commodity_jurisdiction/inde x. html DDTC often posts information on its webpages – always check for the latest information CJs must be uploaded* to DDTC using their Electronic Form Submission software. Requests must include fully executed DS-4076 CJ Form and all supporting documentation 120. 4 (c) revised – no longer need original and 7 collated copies! *as of September 3, 2010
CJ Processing Interagency review Per DDTC usually less than 65 business days May get calls for additional information, be ready to answer or have PIs and Researcher prepared to respond Be courteous and professional and make sure the PI and Researchers are as well Don’t blame the reviewers, they’re just doing their jobs
Documenting Export Controls Compliance: Technology Control Plans ELEMENTS OF A TECHNOLOGY CONTROL PLAN
License or Technology Control Plan? In some situations it is possible to put a TCP in place instead of applying for a license A TCP is simply a plan that outlines the procedures to secure controlled technology (e. g. , technical information, data, materials, software, or hardware) from use and observation by unlicensed non-U. S. citizens If this is not possible, then a license or technical assistance agreement would be needed
Technology Control Plans (TCPs) If you have export-controlled projects at your university you need technology control plans Elements of a TCP Ø Commitment Ø Personnel Screening Ø Physical Controls Ø IT Security Ø Recordkeeping Ø Communication and Training Ø Ongoing audits and assessments
When do you need a TCP? In conjunction with a Technical Assistance Agreement (TAA) – Dept. of State In conjunction with a Deemed Export license – Dept. of Commerce In conjunction with an agreement that does not allow foreign nationals In conjunction with an agreement that involves controlled technology – includes NDAs Or in conjunction with any project that involves controlled technology!
What are some key elements to consider in developing a TCP? A TCP is project-specific! Authorized personnel should be identified Export-controlled information must be identified and marked as export-controlled Project data and/or materials must be physically shielded from observation by unauthorized individuals by operating in secured lab spaces or time blocks Work products such as soft and hardcopy data, lab notebooks, reports, and research materials should be stored in locked cabinets preferably in rooms with keycontrolled access
More elements to consider…. . Key controlled access by authorized personnel only Equipment or internal components such as operating manuals and schematic diagrams containing identified export-controlled technology must be secured Disposal of export-controlled information Discussions about the project authorized personnel only and in secure area no third-party discussion unless conducted under signed agreement with U. S. citizen limitations
Even more elements to consider…. . Export-controlled electronic communications and databases need to be secured. Such measures may include: user ID, strong password, SSL or other approved encryption technology (True. Crypt) activate screensavers after 10 minutes full disk encryption for laptops Must include any project specific restrictions PI must approve and all project members sign off
Now that the TCP is in place… Project personnel need to be trained or briefed prior to the start of the project Update TCP Certification every semester – project personnel could change Retrain project personnel at least once a year Audit project to make sure TCP is being followed Get IT folks to help audit electronic security measures
Now that the project is over… Security measures should remain in effect to protect export-controlled information unless earlier terminated when the information has been destroyed or determined to be no longer controlled.
Export Compliance: Recordkeeping THE DEVIL IS IN THE DETAILS!
What’s required of us? Federal Sentencing Guidelines: Effective Compliance and Ethics Program In general, requires the “…exercise (of) due diligence to prevent and detect criminal conduct; and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. ” United States Sentencing Commission, Guidelines Manual, § 8 B 2. 1(a) (Nov. 2006)
What’s required of us? The USSC’s 7 Step Program Establish standards & procedures Knowledgeable governing authority with reasonable oversight Authority personnel does not include individuals engaged in illegal activities Effective training programs Monitoring, auditing, periodic evaluation, and a reporting system for employees & agents Consistent enforcement Respond to non-compliance w/ reasonable steps
So where is recordkeeping? The USSC’s 7 Step Program Establish standards & procedures Knowledgeable governing authority with reasonable oversight Authority personnel does not include individuals engaged in illegal activities Effective training programs Monitoring, auditing, periodic evaluation, and a reporting system for employees & agents Consistent enforcement Respond to non-compliance w/ reasonable steps
But, what is a record? National Archives & Records Administration 36 Code of Federal Regulations (CFR) 1220 Section 1220. 14 General Definitions: Records include all books, papers, maps, photographs, machine readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations or other activities of the Government or because of the informational value of the data in them (44 U. S. C. 3301).
In Export Control-speak… Export Administration Regulations (EAR) Part 762 Recordkeeping International Traffic in Arms Regulations (ITAR) Part 122 Registration of Manufacturers and Exporters (122. 5), with an additional clause at Part 123. 26 Recordkeeping requirement for exemptions Documentation must be kept five years after the expiration of license
EAR Part 762 Scope Transactions involving restrictive trade practices; exports/reexports; Canadian exports if involving non. U. S. /Canadian persons with an interest; or any other transactions subject to the EAR Records to be Retained Memoranda; Notes; Correspondence; Contracts; Invitations to Bid; Books of Account; Financial Records; Restrictive Trade Practice or Boycott Documents/Reports, and Other records describing those transactions Bottom Line: Anything about Anything!
ITAR Part 122. 5 Maintenance of records by registrants “…maintain records concerning the manufacture, acquisition and disposition (to include copies of all documentation on exports using exemptions and applications and licenses and their related documentation), of defense articles; of technical data; the provision of defense services; brokering activities; and information on political contributions, fees, or commissions furnished or obtained, as required by part 130 of this subchapter. ” Bottom Line: Anything about Anything!
How should I keep records? Lessons learned from case history: Electronic systems are valid, but not required; operational needs can (and should!) be considered in this decision Deleting electronic records is OK; as long as all the information is available elsewhere Record management is KEY!
Export Compliance: “When Stuff Happens” VOLUNTARY DISCLOSURES
What should you do if think you have a violation? Have a process Document what the process is and who needs to be involved Empowered Official VPR Legal Department Dean or Department Head
Stop the activity immediately!
Voluntary disclosures – initial letter 51 If you realize a violation has occurred, the appropriate agency should be notified ASAP! Penalty (hopefully!) will be less severe Send a brief initial notification pursuant to 15 CFR § 764. 5 Office of Export Enforcement (Commerce/BIS) 22 CFR § 127. 12(c) Office of Defense Trade Controls Compliance (State) State the matter is under internal review and complete narrative account will follow per 15 CFR § 764. 5(3) and (4) or 22 CFR § 127. 12(c)(2)
Voluntary disclosures – Agency response 52 Commerce: The BIS Office of Export Enforcement will respond upon receipt with instructions Per § 764. 2(e), can’t do anything (order, buy, remove, store, use, loan, forward, service, etc. ) with the item(s) in question Per § 764. 5(f), can request permission to engage in activities that would otherwise be a violation
Voluntary disclosures – Agency response 53 State – DDTC: The Office of Defense Trade Controls Compliance, Enforcement Division (DTCC/END) will acknowledge receipt and assign a case number Per § 127. 12(c)(1)(i), you must submit full disclosure within 60 days of date of letter Can ask for an extension but must specify what and why required information could not be provided
Voluntary disclosure – next step 54 Compile the facts – what happened Gather supporting documents and information Names, addresses, citizenship Equipment lists (chart or table format) Manufacturer and model number Quantity and unit cost ECCNs and/or USML categories Phone calls, logs, meetings
Voluntary disclosure – supplementary letter 55 Show corrective action taken and the measures put in place to prevent it from happening again, such as: Annual export control training Set up technology control plan Enhanced website with links to export control procedures and forms Implemented internal procedures to ensure no exports are made without a license or license exemption Implemented a formal export approval process University commitment to compliance
Voluntary disclosure – supplementary letter 56 Give background information (project description) Describe the violations (unauthorized export, recordkeeping, license terms) What (item and categories) When (supply dates) Where (countries) Who (people involved and citizenships) Why (give explanation of reasons for violation)
Closeout Hopefully you will get a letter stating “ we are closing this case without taking action” They can reopen the case State or Commerce could require an outside audit Worst-case scenario, the institution get fined or the PI faces jail-time and fines
Things to remember Don’t jump to conclusions May not be an export violation at all, could be a misunderstanding or a violation of an internal process We live in an electronic world ◦ Documents are emailed, downloaded, backed-up to servers, copied to thumb drives, posted to websites, printed out ◦ All of these methods must be reviewed, including who had access to what, by which means and when Must be a closed loop process Ensure corrective actions are implemented Check back in a couple of weeks to make sure they are working
Discussion Time
Contact Information Adilia Koch Kay Ellis Director of Export Compliance California Institute of Technology Export Control Officer University of Arizona adilia. koch@caltech. edu 626 -395 -4469 email. arizona. edu 520 -626 -2437