1. NACM’s 120th Credit Congress & Expo
End Users, Due Diligence &
Necessary Documentation in the
Event of an Audit, Best Practices (Part 2) 
Lizbeth C. Rodriguez-Johnson
Holland & Hart, LLP
555 17th Street, Denver CO
June 14, 2016

2. REGULATORY SCHEME
U.S. export controls apply to all international business
Understanding the regulatory scheme
The consequences of failing to comply with the regulations
Taking steps to minimize the risk of a violations
Compliance and risk mitigation

3. Enforcement of export controls is a priority for the U.S. government
REGULATORY SCHEME
Enforcement of export controls is a priority for the U.S. government
National security
Foreign policy
Risk of enforcement varies depending on product/destination
Demonstrably effective compliance and ethics policies have become a necessity

4. SPECIAL RISKS
Prohibited Parties
Dual-use items and technology
Deemed exports
Embargoed Destinations
Foreign Agents

5. WHY SHOULD YOU CARE ABOUT U.S. TRADE CONTROLS?
Many countries have trade control laws that regulate international conduct
The United States trade control laws not only impact U.S. companies; they have extraterritorial application
Penalties can be assessed by the U.S. Government against both U.S. and non-US companies that violate U.S. trade laws (including monetary fines, loss of access to the U.S. commercial and financial markets and other penalties)

6. COMPLIANCE PROGRAM BUSINESS CASE
Cost Effective Measure
A compliance program designed to protect against inadvertent violations is an effective defensive tool (if implemented)
Good business in case of acquisition, merger
In the event of a potential violation, demonstrable training and good recordkeeping can divert an investigation
Avoid expensive legal fees

7. UNDERSTANDING THE CONSEQUENCES
Criminal prosecution of executives (up to 20 years in jail).
Denial of U.S. export privileges.
For foreign companies, violations can result in denial of entry to U.S. market or access to U.S. technology.
Debarment from U.S. Government contracts.

8. UNDERSTANDING THE CONSEQUENCES
Monetary Penalties in the Millions
Commerce Department/Treasury Department
Up to $250,000 civil penalty per violation
$1,000,000 for willful violations (criminal) for corporations (or 5 x the value of the export, whichever is greater).
In the past, transactions parsed then violations stacked
State Department = Up to $500,000 per violation

9. UNDERSTANDING THE CONSEQUENCES
If things go wrong:
Strict liability for trade sanctions violations
Cost of investigating potential violations in the event of self-disclosure
Legal fees, other expenses
“Involuntary Investigation” – by the U.S. Government may result in three times the legal costs

10. WHY YOU SHOULD CARE? In summary:
U.S. trade sanctions and export control laws are premised on national security and foreign policy.
Risk of enforcement varies depending on product, international (or domestic) developments.
Penalties and defense costs can be high.

11. ROADMAP TO THE AGENCIES THAT REGULATE U.S. EXPORTS AND SPECIAL RISKS

12. U.S. EXPORT CONTROL LAWS IN GENERAL
With whom we conduct business?
What we export, i.e., services, know- how, data?
How we conduct business?
How we can demonstrate compliance?

13. U.S. EXPORT CONTROL LAWS IN GENERAL
What’s Covered?
Physical commodities, products, components
Software
Technology / technical data
Know-How
Services, including training, teaching, etc.

14. THE AGENCIES AND THE REGULATIONS
U.S. Commerce Department Bureau of Industry and Security (BIS)
Export Administration Act (Expired)
International Emergency Economic Powers Act (IEEPA)
Export Administration Regulations (EAR)

15. THE AGENCIES AND THE REGULATIONS
Export and reexport of:
items,
materials,
software,
technology
Commercial vs. Dual-Use
Denied Persons List, Entity List, Unverified List
Antiboycott restrictions

16. THE AGENCIES AND THE REGULATIONS
U.S. State Department Directorate of Defense Trade Controls
Arms Export Control Act (AECA)
International Traffic in Arms Regulations (ITAR)

17. THE AGENCIES AND THE REGULATIONS
Export, re-export and temporary import of:
Defense Articles
Technical Data
Furnishing of:
Defense Services
Debarred Parties List
Brokering

18. THE AGENCIES AND THE REGULATIONS
U.S. Treasury Department Office of Foreign Assets Control (OFAC)
International Emergency Economic Powers Act (IEEPA)
Trading with the Enemy Act
Foreign Assets Control Regulations

19. THE AGENCIES AND THE REGULATIONS
Specially Designated Nationals (SDN) and Blocked Persons List
Drug traffickers
Terrorists
Others
Other lists of sanctioned parties
Many sanction programs/many different restrictions
Comprehensive vs. Targeted
ITAR Section countries

20. OFAC: SPECIAL COMPLIANCE RISKS
Non-listed Sanctioned Parties
Parties with an interest (e.g., ownership, control) in a blocked party
Foreign ownership changes
Facilitation of a prohibited transaction
Financing, legal/compliance support or counseling
Mandatory financial institution reporting (Suspicious Activity Reports)
Exceeding the scope of a General License or exemption

21. THE AGENCIES AND THE REGULATIONS
Other agencies and related controls:
U.S. Department of Justice
U.S. Department of Defense - Defense Technology and Security Administration (DTSA)
Homeland Security - Customs and Border Protection
U.S. Department of Energy
Nuclear Regulatory Commission
There are many others playing different roles.

22. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS

23. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS
Know your business partners: Before conducting any business, SCREEN
U.S. Lists of Prohibited Parties
Specially Designated Nationals List
Foreign Sanctions Evaders List (Syria or Iran)
Sectoral Sanctions Identification List
Denied Persons List
Unverified List
Entity List
Debarred Parties List
Non-Proliferation List
Others

24. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS
Multinational sanctions should also be considered:
Consolidated list of persons, groups and entities subject to EU financial sanctions
ol-list/index_en.htm
United Nations Security Council Sanctions Lists
Other countries may have sanctions in place that should be considered.

25. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS
End-use/End-user screening
License requirements may apply depending on the expected end-use or end-user of the product to be exported
Non-proliferation concerns
Non-automated screening

26. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS
Understand your business offering: Jurisdictional / Licensing Determination
Commerce Department
Commercial goods, dual use, technology
License requirement will vary depending
State Department
Defense articles, technical data and services – Generally license required
Jurisdiction and classification need to be addressed prior to export

27. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS
Classification of commerce controlled technology
Classification determines:
Reason for control (national security, foreign policy, short supply, etc.) (this will have an impact on the penalties that apply to violations)
No License Required
If customer can ship under a “License Exception” or if a license is required

28. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS
The Commerce Control List (CCL) describes items subject to the jurisdiction of the EAR.
It consists of 10 general categories divided in 5 more specific Categories of items
A. System, Equipment and Components
B. Test, Inspection and Production Equipment
C. Materials
D. Software
E. Technology
Export Control Classification Numbers vs. EAR99
EAR Section 738 – the Country Chart

29. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS

30. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS

31. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS
No License Required anywhere except for certain embargoed destinations, end-users, end uses

32. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS
Classification of Technology
Technology evolves as engineers push the envelope and customers demand new products; this can affect the controls that apply
Encryption software is an example of civilian use technology that becomes an armament if enhanced, modified or adapted
When classifying the technology, need to understand technology

33. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS
Classification of Technology
Controls change due to domestic and international developments
September 11, 2001
Sudan vs. South Sudan
Myanmar
Russia
Vietnam
Read the news, trade periodicals and the Federal Register

34. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS
Special Rules: Transshipments and Re-exports
U.S. origin technology remains subject to U.S. export control laws regardless of title transfers, re-sales, etc.
Re-exports may require licensing (could technology have gone directly to ultimate destination NLR?)
Sending technology “through” a country can equal “to” a country

35. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS
Problem Solvers Creating Problems:
Technical Services
The “Deemed Export” Rule
Technology exported when divulged to non-U.S. person, even if that person is in the U.S. and has no intention of returning to his native country
Technology exported when ed

36. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS
Technology exported when divulged to non-U.S. person, even if that person is in the U.S. and has no intention of returning to his native country
Visa holders
Form I-129 Certification Requirement aims is to identify potential exports of U.S. origin controlled technology
Affirmative duty to certify to existing compliance requirement

37. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS
Transfer of controlled technology to a third country national (employee or other party)
Phone, , fax, in-person
Trade show, demonstration
Facilities tour

38. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS
To prevent deemed exports, classification of technology (not just products and including technical services) is a must
Licensing requirement determination contingent on classification
License application process
Employee training is the key to compliance

39. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS
Embargoed destinations and parties remain an enforcement priority (High Risk)
Exports of harmless items (staplers) can produce high civil fines
Exports of problematic items (nickel pipes and lasers) can result in criminal fines and jail time
Embargoed countries may change as foreign policy develops.
Career enhancing prosecution (for government attorneys, not the Company)

40. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS
Main Embargoed Countries
But what about and ?
Each embargo regime is different
Embargoes change as U.S. foreign policy evolves

41. UNDERSTANDING THE EXPORT COMPLIANCE PROCESS
Other countries subject to OFAC targeted sanctions include:
Balkans
Belarus
Burundi
Central African Republic
Cote d’Ivoire
Democratic Republic of the Congo
Iraq
Lebanon
Libya
North Korea
Somalia
Ukraine/Russia
Venezuela
Yemen
Zimbabwe

42. TRADE AND EXPORT COMPLIANCE PROGRAMS Implementing Effective Measures

43. COMPLIANCE PROGRAMS
U.S. Law Recognizes Value of Compliance Programs: U.S. Sentencing Guideline § 8B2.1 expressly states that proof of an effective compliance program will result in a reduction in penalties
Focus on developing a compliance plan that meets your organization’s needs
No “One Size Fits” All
“There is no single compliance program suitable for every financial institution. OFAC is not itself a bank regulator; its basic requirement is that financial institutions not violate the laws that it administers…”

44. COMPLIANCE PROGRAMS Defensive data may include:
Proof of Policy Review: Signed acknowledgment by each employee who has reviewed anti- corruption policies and procedures
Proof of Compliance Training: Compliance training minutes and attendees
Proof of Testing: Online compliance training testing data
Proof of Due Diligence: Risk-based due diligence records performed on third parties
Certifications: Compliance certifications provided by third-party contractors and agents as required by contract
Assessments: Internal and external audit reports

45. COMPLIANCE PROGRAMS At a minimum, a program should include:
Compliance policy and export responsibility
Proper classification, licensing and checks
Screening of denied parties, end-uses/end-users and red flags
Training, audits, and updates
Technology control plan
Safety valve for reporting violations

46. COMPLIANCE PROGRAMS Screening – Automated and Centralized
Consolidated List:
Non-Automated Screening
End-Use and End-User Restrictions to prevent nuclear, missile and chemical and biological weapons proliferation; should be part of getting to know the customer

47. Non-Automated Screening
COMPLIANCE PROGRAMS
Non-Automated Screening
Analysis of “Red Flag” factors prevent diversion
Can have checklists, but your education is the most important aspect of compliance

48. COMPLIANCE PROGRAMS
Dealing with risk areas -Technology Control Plan (TCP):
Facility Access Control
Hiring
Exposed technology in the work area
Visits by Foreign Persons
Discussions with Foreign Persons anywhere

49. COMPLIANCE PROGRAMS Recordkeeping/Reporting
If it is not in writing, how can you prove it?
Company policy for record retention essential
Routine destruction of documents, when allowed by law
Strict adherence to reporting requirements (anti-boycott)
Voluntary disclosure option reviewed

50. COMPLIANCE PROGRAMS Training
Initial training sessions by Outside Counsel
Web-based training
Face to Face training
On-going training

51. VOLUNTARY DISCLOSURES
Disclosures are only voluntary if filed before the U.S. government learns of the violation on its own.
Notification should be filed immediately after a violation is discovered and then conduct a through review of the transactions related to the suspected violations.

52. How Do You Know a Disclosure is Needed
How Do You Know a Disclosure is Needed? Conducting Internal Investigations

53. Conducting Internal Investigations
Choice of investigators
In-House vs. Outside
Interview protocol
Civil Miranda
Proof – Witness, Documented
Documenting the Findings
Interview memoranda
Plan investigation with risk of waiver in mind
Mission creep

54. Record Collection and Data Preservation
Avoiding Obstruction of Justice
Issue a “Document Hold”
Do not destroy documents if under investigation
Document Review
Maintain Privilege
Review Documents
Create Log
Leave “No Trace”
Privilege Log

55. Conducting Effective Employee Interviews
“Civil Miranda” Advisement
Need for a witness – never “go it alone”
In person vs. telephone
Demeanor
Multiple employees at one time
Conflict of interest issues
Interview memoranda
Former employees – issues
Open ended questions
Limits on what is disclosed during employee interviews

56. Documenting the Results of an Internal Investigations
Identify and assess potential violations
Avoid speculation – “the facts speak for themselves”
Consider time frame
Review for regulation changes
Ensure jurisdiction/classification is confirmed
Validate/confirm interview facts through support documentation

57. Next Steps: Develop an Action Plan
Stop any ongoing violations
Is a disclosure required/advised?
Document action plan in a close-out privileged “Memo to File”
Monitor completion of action plan items

58. Reporting and Disclosures to Federal Agencies (Treasury, State & Commerce Departments)

59. Voluntary vs. Directed Disclosures
To Disclose or Not To Disclose?
Sometimes you have no choice
Timing issues
Initial notification
Qualify
Full disclosure
What, Whom, Where, When, Why and How
Importance of reviewing all documents prior to submitting to the government
Caution with False Statements
FOIA protection request

60. Corrective Action After a Violation is Discovered
Address “root cause”
Must be operational to be “implemented”
Owners/responsible parties must be assigned
Must be timely
Monitor effectiveness (ongoing)

61. Employee Communications for Remediation and Prevention
Senior management directive for full compliance
Characterize as “enhancements to the compliance program”
Assign responsibilities for execution

62. Compliance Program Audits

63. AUDITS Critical element of effective compliance program
U.S. Sentencing Guidelines §8b2.1- Effective Compliance and Ethics Program
(b)(5) The organization shall take reasonable steps- …(B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program….
BIS Core Elements of Export Management and Compliance Program (EMCP)
Element 7 – Internal and External Compliance Monitoring and Periodic Audits
DDTC Guidance for Registrants
Recommended designation of an Ombudsman “to provide independent evaluation (reports) on overall implementation of the company’s compliance program.”

64. Types of Export Audits Self-Initiated Audit Directed Audits
Comprehensive vs. Focused Review
Internal vs. External
On-Going vs. Annual
Directed Audits
Investigation (Directed disclosure)
Settlement (administrative or criminal)
No-Action Resolution

65. Preparing for a Third Party Audit
Understand the scope
Type of testing
Timing
Directed or Self-Initiated
Document production
Review documents before producing
Determine means of production (electronic vs. paper)
Prepare for the audit visit (Hint: Before the audit)
Pre-Audit employee meetings
Availability of relevant personnel
Points of contact

66. Audit Plans and Report Develop an audit plan and follow it
Directed Audits – The regulators will review and approve the audit plan prior to the audit
Determine if an audit report will be produced
For a directed audit, audit report is presented to regulators – No privilege
Voluntary external audit by counsel – Potential privilege

67. Tips on How to Survive a Third-Party Audit Visit
Do not Make the Auditor Wait
Lack of preparation will only hurt YOU
Be Flexible
Do not Test the Auditor’s patience
Expect the Unexpected
Do not Antagonize the Auditors – You may think you are perfect but…

68. Tips on How to Survive a Third-Party Audit Visit
That said … be Proactive
If the Auditor is wrong, point him/her in the right direction (Nicely!)
Do not Try to Fool the Auditor
The Auditor can tell if the answers are rehearsed.

69. Follow-Up on Audit Results
Written Reports
When are they required?
What to include in a written audit report?
Risks and benefits
Findings and Recommendations
Review them carefully
Develop an action plan and stick to it
Do not point fingers, find solutions – Voluntary Disclosures
Remember: You have to live with the Audit Report … Do not ignore it.

70. Summary- Tips for Handling Export Violations
Stop the bleeding
Plan & conduct an internal investigation
Consider who should investigate
Establish a defined, repeatable protocol
Document, document, document
Attorney-Client privilege
Preserve all records
Seek professional assistance
Disclose with care
Corrective actions – do what you say and verify effectiveness
Audit and then … Audit again

71. AVAILABLE RESOURCES

72. AVAILABLE RESOURCES Principal websites Utilize these resources.
Utilize these resources.
Contact information for relevant personnel
Establish relationships in the industry, join trade organizations
Subscribe to the Federal Register ListServ, agency newsletters for Updates

73. Questions?