Overview
Background and Principles
The European Commission (Commission) recently published a non-binding guidance with recommendations on internal compliance programs (ICPs) for dual-use trade controls under Council Regulation (EC) No 428/2009 (EU Dual-Use Regulation) after having issued a draft guidance and launched a survey last fall (see also our previous blog post on the topic).
While not expressly alluding to ICPs, the EU Dual-Use Regulation provides that Member States shall take into consideration whether the exporter applies proportionate and adequate means and procedures for compliance when assessing applications for global export authorizations (i.e., authorizations granted in respect of a type or category of dual-use item which may be valid for exports to one or more specified end users and/or in one or more specified third countries). Written ICPs have long been considered a best practice based on expectations and recommendations published by the US Bureau of Industry & Security and Directorate of Defense Trade Controls, but less so within the EU. In the past couple of years, discussions within the review of the EU Dual-Use Regulation included a proposal for the introduction of ICP requirements. Certain Member States such as Germany, the Netherlands and the UK have already issued their own ICP guidelines.
The guidance aims to provide a framework to help exporters identify, manage and mitigate risks associated with dual-use trade controls and to ensure compliance with the relevant EU and national laws and regulations. It is also intended to support Member States competent authorities in their assessment of risks, in the exercise of their responsibility for deciding on export authorizations, authorizations for brokering services, transshipments of non-EU dual-use items or on authorizations for the transfer within the EU of the particularly sensitive items listed in Annex IV of the EU Dual-Use Regulation.
An ICP should be tailored not only to the company's specific business activity and related risks but also to the size, the structure and scope of the business. The guidance recommends starting with a risk assessment to determine the company’s specific dual-use trade risk profile when developing or reviewing an ICP. The guidance points out that if a company holds a valid Authorized Economic Operator authorization, the assessment of the company's customs activities could be taken into account for the purpose of developing or reviewing an ICP. Since the guidance is explicitly non-binding, there is no obligation to implement an ICP.
The Seven Core Elements of an ICP
The guidance lists seven core elements that are essential for an effective dual-use trade control ICP but stresses that this list is not exhaustive. The Commission emphasizes that during the development of this guidance, potential implementation challenges for Small and Medium Sized Enterprises (SMEs) were systematically considered.
For each core element, the section "What is expected?" describes the ICP related objective(s). The section "What are the steps involved?" further specifies the actions and outlines possible solutions for developing or implementing compliance procedures.
1. Top-level management commitment to compliance
Companies are recommended to develop a corporate commitment statement, which provides that the company complies with all EU and Member State dual-use trade control laws and regulations, defines the management's specific compliance expectations and conveys the importance and value placed on effective compliance procedures. This corporate commitment statement should be communicated to all employees and personnel, including those with no role in dual-use trade control.
2. Organization structure, responsibilities and resources
Companies are encouraged to establish an internal organizational structure that should identify and appoint the person(s) with the overall responsibility to ensure the corporate compliance commitments. In some Member States this must be a member of the top-level management. At least one person in the company, who demonstrably has the required skills and background, should be entrusted with a dual-use trade control function. This function can be shared between corporate entities within the EU unless national export control legislation, as is the case in certain Member States, requires a dedicated person to be appointed locally. Under this recommendation of the guidance, the person(s) making the final decision whether goods can be shipped should not be part of the sales department but of the legal department.
The companies are encouraged to create a compilation of the documented processes and procedures (e.g. in a compliance manual or policy) and may consider the need for Information Technology support for internal compliance procedures. Responsible personnel should document and distribute the set of policies and procedures addressing dual-use trade controls to all relevant personnel.
3. Training and awareness raising
The guidance identifies training and awareness raising as another core element that is essential for an effective dual-use trade control ICP. Companies are called on to provide compulsory, periodic training for all dual-use trade control staff. Furthermore, they ought to develop general awareness raising for all employees as well as dedicated training activities.
4. Transaction screening process and procedures
The Commission stresses in its guidance that transaction screening is the most critical element of an ICP in terms of operational implementation. This element concerns the companies' internal measures to ensure that no transaction is made without the required license or in breach of any relevant trade restriction or prohibition. Transaction screening may be done manually or with the support of automated tools, depending on the companies' needs and available resources. Transaction screening measures also allow the companies to develop and maintain a certain standard of care for handling suspicious enquiries or orders. In case of recurring transactions, transaction screening should be performed periodically.
The guidance lists the following elements of transaction screening processes and procedures:
- Item classification for goods, software, and technology
- Transaction risk assessment, including:
- Checks on trade-related embargoed, sanctioned or "sensitive destinations and entities"
- Stated end-use and involved parties screening
- Diversion risk screening
- "Catch-all controls" for items not listed under the EU Dual-Use Regulation's annexes
- Determination of license requirements and license application as appropriate, including for brokering, transfer and transit activities
- Post-licensing controls, including shipment control and compliance with the conditions of the authorization
Companies should pay particular attention to less obvious controlled types of export (such as export via a person's personal baggage or transfers of dual-use technology by e-mail or via a "cloud" service) and to dual-use trade control measures for activities other than export, such as furnishing technical assistance or brokering services.
5. Performance review, audits, reporting, and corrective actions
Companies should provide for random control mechanisms as part of daily operations to monitor the trade control workflow within the company and to ensure that any misconduct or errors are detected in an early stage. The guidance specifically mentions the "four eyes principle," where trade control decisions are reviewed and double-checked. Companies should also develop and perform audits to check the design, adequacy and efficiency of the ICP.
The guidance also encourages companies to establish notification and escalation measures to adopt in the event of suspected or known incidents of dual-use trade non-compliance, including whistleblowing procedures. Any suspected breaches and the associated corrective measures should be documented in writing.
6. Recordkeeping and documentation
The guidance discusses recordkeeping (procedures and guidelines for legal document storage, record management and traceability of dual-use trade control related activities) as one of the seven core elements that are essential for an effective dual-use trade control ICP.
The guidance recommends to verify the EU and national requirements for recordkeeping (period of safekeeping, scope of documents, etc.) and to consider determining the record retention requirements in contracts with intermediaries, including freight forwarders and distributors. It also advises to keep a record of past contacts with the competent authority, also in relation with end-use(r) controls for non-listed dual-use items and in case of technical classification advice.
7. Physical and information security
In light of dual-use items' sensitivity, companies should have appropriate physical and information security measures to prevent unauthorized removal of, or access to, such items. Physical security measures include physical safeguards, restricted access areas and personnel access or exit control. Information security measures include basic safeguards measures and procedures for secured storage of and access to controlled dual-use software or technology in electronic form, such as antivirus checks, file encryption, audit trails and logs, user access control, and firewall. Companies are advised to consider protective measures for uploading software or technology to the cloud, storing it in the cloud or transmitting it via the cloud.
Annexes to the Guidance: Helpful questions, "red flags" and EU Member States competent authorities
The guidance comes with three annexes. Annex 1 contains a non-exhaustive list of helpful questions pertaining to a company's ICP. The questions relate to all core elements, but not necessarily to every step described. They can either be useful when developing an ICP, or at a later stage to review an existing ICP, but do not serve as a substitute for assessing an ICP against the details of the main part of the guidance.
Annex 2 provides for a non-exhaustive list of "red flags" relating to suspicious inquiries or orders. Companies should be vigilant if one or more of these "red flags" are detected. Moreover, it is recommended and sometimes may be mandatory under EU and national laws to share information about suspicious inquiries with the competent authority.
Annex 3 contains a link with a list of EU Member States competent export control authorities.
Conclusion
The guidance provides valuable help for companies on how to set up an adequate and effective ICP. Certain Member States already require an ICP for global export authorizations and it is reasonable to assume that ICPs will be viewed more and more as best practice.
Although the guidance is explicitly non-binding and there is no obligation to implement an ICP, it is likely that certain competent authorities will take the implementation of an adequate and effective ICP into account when assessing applications to export, transit or broker dual-use items. This may also be the case with regard to penalties for violations of the EU Dual-Use Regulation.