Compliance Program Guidelines

On December 5, 2022, the U.S. Department of State Directorate of Defense Trade Controls (“DDTC”) issued new Compliance Program Guidelines (“the Guidelines”) intended to provide an overview of DDTC’s expectations for an effective compliance program. The Guidelines discuss controls contained in the Arms Export Control Act (“AECA”) and the International Traffic in Arms Regulations (“ITAR”). The Guidelines also outline key elements of an effective ITAR Compliance Program (“ICP”), and identify suggestions, common compliance pitfalls, and tips for best practices.

The Guidelines list eight elements of an effective program.

Element 1: Management Commitment

The Guidelines state that management commitment is fundamental for a proactive compliance program. Management commitment includes generating and updating policies and procedures within the organization and providing sufficient resources to implement these policies.

Element 2: DDTC Registration, Jurisdiction and Classification, Authorizations, and Other ITAR Activities

An effective ICP must include fundamental information regarding ITAR activities, including:

1. Registration with the DDTC;

2. Jurisdiction and classification of items, including the submission of commodity jurisdiction requests;

3. Obtaining authorizations, including a description of the types of licenses, agreements and other approvals available under the ITAR;

4. Conducting restricted party screening prior to engaging in any ITAR-controlled activity;

5. Registration and licensing of brokers, which include any persons engaging in “brokering activities” as defined by the ITAR;

6. Reporting of political contributions, fees, and commissions; and

7. Cybersecurity and encryption considerations.

Element 3: Recordkeeping

Pursuant to 22 CFR Part 130, the ITAR requires the maintenance of records of all licensing-related activities and exports of defense articles and technical data for at least five years from the date of the transaction. The Guidelines suggest establishing roles and responsibilities within an organization with written policies and procedures.

Element 4: Reporting and Addressing Violations

The Guidelines recommend that organizations adopt and implement policies and procedures to detect and investigate potential ITAR violations. Organizations should also establish policies and procedures for submitting voluntary disclosures of violations to DDTC where appropriate.

Element 5: Training

Organizations should create tailored and tiered ITAR training based on employee function and organization-specific compliance risks. The training program should be reviewed and updated periodically.

Element 6: Risk Assessment

After understanding its compliance risks, an organization should create risk assessments tailored to its specific ITAR-controlled activities. These risk assessments should be regularly updated based on changes in the organization’s risk factors. DDTC provides a list of potential ITAR risk factors:

1. The nature and scope of the organization’s commodities;

2. The organization’s customers, suppliers, freight forwarders, partners, or other third parties involved in its activities;

3. The organization’s physical and cyber security infrastructure;

4. Any foreign parents, subsidiaries, or affiliates;

5. The structure of the organization’s product development, engineering, and sales

6. activities;

7. Any foreign person employees; and

8. Geographic regions that the organization operates in or exports to.

Element 7: Audits and Compliance Monitoring

The Guidelines state that comprehensive, independent, and objective audits, when performed regularly, assist an organization in determining the effectiveness of its ICP. Periodic audits should include a) interviews with relevant personnel, including senior management and the compliance team, b) document collection and review, c) IT system access, and d) site visits, as needed.

Element 8: Export Compliance Manual and Templates

The final element of an effective ICP is the creation of a written ITAR compliance manual, which should be provided to all employees. Organizations should periodically check the ITAR and DDTC guidance for any relevant changes and monitor for changes in organizational risk factors.

The ICP Guidelines highlight the scope of ITAR activity guidance, but an organization’s ICP should be tailored to address the specific organization’s needs based on ITAR controlled activity, risk factors, and size.

U.S Persons Abroad Guidance

Additionally, on January 5, 2023, the DDTC published updated guidance and FAQs for U.S. persons abroad (“USPAB”) authorization requests. This guidance is for U.S. persons who reside overseas, are employed outside of the U.S. by foreign companies, and provide “defense services,” as defined by the ITAR at 22 C.F.R. § 120.32, to their employer or other foreign parties. U.S. persons require DDTC approval to provide defense services to any foreign person, including foreign employers, or other foreign persons on behalf of the company. In addition to the guidance for USPAB authorization request, DDTC has also issued a USPAB submission letter template and Sample §126.13 Certification Letter for USPAB Authorization Requests.

In a USPAB authorization request, the U.S. person will be the applicant and use form DS- 6004 through the Defense Export Control and Compliance System (“DECCS”) to request approval from DDTC to provide defense services. The request should also include a submission letter, resume, detailed job description, ITAR § 126.13(a) certification, and other supporting documentation. A third party may help facilitate the request, but the U.S. person is responsible for ensuring ITAR compliance. The approval will not authorize the transfer of ITAR-controlled technical data to the applicant’s employer; this will require a separate application and approval. If DDTC approves the request, authorization letters will be sent electronically to the applicant’s email.

The FAQs clarify that authorization requests cannot be submitted for multiple employees at one time, meaning each individual employee will require an individual authorization. The FAQs recommend that if a U.S. person believes they may have furnished or are furnishing defense services without authorization, the U.S. person may submit a voluntary disclosure to DDTC. The U.S. person may still apply for USPAB authorization while the voluntary disclosure is reviewed by DDTC. The guidance also explains that there are limitations to the USPAB authorization; the authorization permits the applicant to provide only the defense services listed in ITAR §§ 120.32(a)(1) and (3). Additionally, the applicant can only provide the defense services to the foreign nationals identified in the final authorization.

***

For additional guidance regarding updates to the Compliance Program Guidelines or the U.S. Person Abroad Guidance, contact the attorneys and advisors at Torres Trade Law, PLLC.