Archive for the ‘USA Regulations’ Category

Export Controls & ECR Report


The Congressional Research Service (CRS) released “The U.S. Export Control System and the Export Control Reform Initiative” providing a full report on several aspects of the US export control system. The report provides background on policies and the possible future systems but with very few details (Congress will debate on whether the regulations should eventually have only one licensing agency).

Full Report:

France: Weaning Off of US Weapons Systems Parts


By: Danielle Hatch

French Defence minister Florence Parly recently explained that it will start to cut its dependence on US components in many of its weapons systems. Everyone knows that US export controls often limit European weapons sales even if they only contain a tiny US component. Just this year, the US blocked the sale of French-made SCALP cruise missiles to Egypt because they contained a US part that was subject to the US export regulations. Regarding the blocked sale, Parly said: “We are at the mercy of the Americans.” Without providing specific examples, Parly said France needed to “gradually wean ourselves off our reliance on a certain number of American parts.”

France and Germany are currently working on the Future Combat Air System (SCAF) project, a next generation combat jet and they are trying to minimize the dependence on US parts within the project. France’s Dassault Aviation and Airbus have signed a deal to work together on the jet which will have the ability to be at the center of a broader weapons system that can control a squadron of drones. Currently, France’s air force uses Reaper drones which are built by General Atomics, a US firm. France had to obtain US congressional approval to arm the drones since they are used in its counter-terrorism operations against Islamist militants. “Is that satisfactory? No. But we don’t have any choice,” Parly explained.

Quotes from French Defence minister Florence Parly during a joint news conference in Helsinki, Finland on August 23, 2018.

More details:

Sandler, Travis & Rosenberg Trade Report



Dates and Deadlines: Classification, Customs Records, Export Regulations, and GSP. The link below provides highlights of regulatory effective dates and deadlines and federal agency meetings coming up in the next week.

Export Control Reform Is Not Dead


By: John Black

Maybe you were beginning to feel comfortable with the sweeping changes to US export controls resulting from the Obama Administration’s Export Control Reform Initiative.   Well, the regulatory change party isn’t over.  Get out your reading glasses and free up some time in your calendar because it won’t be long before the EAR-ITAR definitions clean-up regulations hit the street.  In 2015, DDTC and BIS published proposed, so-called harmonization rules to harmonize EAR and ITAR definitions of terms such as export, publicly available/public domain and others.  At first glance I thought the proposed EAR and ITAR rules were not harmonization because they proposed to have different definitions of many key terms.  Then the musicians in my family reminded me that when two people sing harmony they do not sing the same note at the same time but they sing different notes at the same time.  So I guess the proposal to have definitions in harmony was musically correct because the definitions were not the same.

It’s easier for me to talk about the rules as definitions clean up, updates or clarifications, or perhaps just changes.  In any event, putting aside the name I prefer to use, this is a high level overview of what I/we should expect:

  • Clarifications of the EAR definitions of export (something leaves the US), reexport (something goes from one foreign country to another) and retransfer (change in end-use or end-user).
  • Stating in the EAR that a person’s country status under the EAR deemed export rule is the most recent country of citizenship or permanent resident status.
  • If technical data, technology or software is electronically transmitted or moved using end-to-end encryption, and is not intended for storage in the most sensitive export control countries such as China, Russia, and arms-embargoed countries, it is not an unauthorized export if electronic transmissions transit countries for which the a license would be required for the content of the transmission.
  • The EAR will include provisions to apply the ITAR 126.18 and 124.16 concepts to EAR deemed reexports of technology or source code.  Deemed reexports from Country Group A:5 STA eligible countries to nationals of any of those A:5 countries will be authorized.  Deemed EAR reexports involving other countries and nationals will be authorized along the lines of ITAR 126.18 which means the deemed reexporter has an NDA from the recipient, a compliance procedure to vet/control the deemed reexport and there is no substantive contact with problem countries.
  • The EAR will include provisions to apply ITAR special arrangements involving countries such as Canada, the UK and Australia to EAR issues.
  • The EAR will require that the license applicant inform all other parties in the license of the license scope and conditions.
  • The EAR will clarify that technology that is an input into a fundamental research is not fundamental research.

To a large extent, the definition changes will merely clarify that the definitions mean what you thought they meant, which will increase your confidence in your understanding of the regulations and, hopefully, make it easier for you to explain and apply the rules in your organization, and perhaps help you to sleep better at night.  Clarification, even without hope for changes to the restrictions and requirements, is something I always appreciate because for me it is always better to understand the rules than to agree with them.

In any event, once the new changes are out, it will be time to join me as I print out the Federal Register notices, get some small sticky notes and a couple highlighter pens, pour yourself a big cup of coffee, and start to read the notices, including the preamble text, and study the new rules.  I am looking forward to it, and I hope you are too.

Statement Before House Committees Concerning Proposed Export Licensing for Cyber-Security Items


(Source: Homeland Security Committee) Author: Kevin J. Wolf, Assistant Secretary of Commerce for Export Administration.

Transcript of statement:

“Thank you, Chairmen Hurd and Ratcliffe, and Ranking Members Kelly and Richmond.

The Wassenaar Arrangement is a 41-member export control group in which the United States participates. It was established to contribute to regional and international security and stability by promoting greater responsibility in the transfer of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations of such items. Participating States maintain a common control list of items warranting control for these reasons and seek, through their national policies, to ensure that transfers of these items do not contribute to the development or enhancement of military capabilities that undermine these goals, and are not diverted to support such capabilities. The list of such items is developed and updated by the Participating States through consensus determinations, generally made at the end of each year. …

In December 2013, Wassenaar approved new export controls on “command and delivery platforms” for “intrusion software” and related technology. Specifically, the entries in Category 4 (Computers) of the Wassenaar dual-use control list would control non-publicly available software (4.D.4.) that generates, operates, delivers, or communicates with “intrusion software.” “Intrusion software” is defined as software designed to covertly gain access to a computer or other networked device and, once inside, to extract or modify data or modify the execution path of the device to allow the execution of externally provided instructions. Related hardware and technology entries (4.A.5. and 4.E.1.c.) control systems and equipment for generating, operating, delivering, or communication with “intrusion software,” and technology for developing “intrusion software.” The original proposal for these controls came from another Wassenaar member nation in 2012. Examples of the types of commercial hacking software intended to be captured by this control include those offered by Hacking Team (Italy), Gamma/Fin-Fisher (Germany), and Vupen (France).

The controls were novel in that they were the first foray by a multilateral export control community into the area of offensive cyber tools. The agreed-upon entries covering software intentionally excluded “intrusion software” itself — that is, certain kinds of malware — from control because of a general understanding that everyone with a computer or mobile device infected by such malware or “exploits” could become an unwitting “exporter” of it (e.g., by forwarding an infected e-mail to someone in another country). The technology entry, however, imposes controls on non-publicly available technology for the development of such software as well as on technology for the development of the controlled delivery systems. …

In order to not take an action that would inadvertently harm our nation’s ability to engage in critical cyber defense and related research work, we decided in May 2015 to take the unprecedented step of publishing these Wassenaar control list entries as a proposed rule, with a request for private sector comments, rather than as a final rule. Our hope was that the private sector comments would give us a better sense for whether the rule would have unintended impacts on our cyber defense and cyber research ecosystems. All dual-use controls have consequences and impose costs on the private sector. That is the nature of controls. This one, however, was different because the impact would be not just on the economic bottom-line of U.S. companies, but on our government’s and our nation’s ability to share efficiently and quickly the types of technology necessary to conduct cyber defense and related research.

Immediately following publication of the proposed rule, Commerce received questions from U.S. private sector and others in the U.S. Government about the intended scope of the controls. In order to ensure that comments were informed and responsive to the proposed controls set forth in the rule, Commerce published answers to a list of “frequently asked questions” on its website to address what we determined were regular queries in order to encourage more focused and more useful public comments. It was clear from these initial questions that the terminology used in the control list entries and the proposed rule were understood differently by the cybersecurity community than by the export control agencies and the Wassenaar Participating States. By the end of the 60-day comment period, Commerce had received more than 260 comments, virtually all of them negative. Some commenters took the view that the underlying control at Wassenaar could not be implemented without causing significant harms to cybersecurity. Others made specific recommendations on ways to mitigate many of the concerns. Some praised the underlying objectives of the rule, while nonetheless proposing modifications to the scope of the proposed regulation, such as through license exceptions and definitions, to reduce the impact of unintended consequences. …

Neither the Commerce Department nor the Administration has reached a conclusion about how to respond to the public comments. We are still reviewing and considering them. Importantly, all U.S. Government agencies with expertise and equities in cyber defense research and related work are reviewing the comments and will provide input as a next step, before we make a decision on what to do about the proposed rule.   As requested by your committees, I can, however, summarize the essence of the comments – reiterating that the Administration has not come to any final conclusions regarding how to respond to the comments or to the extent to which they are correct technically. The public comments, including presentations at technical advisory committee meetings during the past three months, focus on three main issues.

First, some commenters asserted that the proposed regulation’s definition of “intrusion software” is too broad and, as a technical matter, fails. They assert that malware recovery tools would be caught by the entries because they interact with malware to regain control of an infected system, and some defense research tools would be caught because they analyze malware to develop new defensive products. They also assert that products that patch systems or add capabilities to programs would themselves be controlled under these entries because of the way they interact with or manipulate programs. These products are integrated with the hardware (systems, equipment, and components) and are designed to legitimately bypass or defeat protections, modify the standard execution path of software, and access data. According to the commenters, they would often thus be software for the generation, operation, delivery of or communication with “intrusion software” and caught by the new controls.

Second, other commenters contend that the proposed rule to implement the control list entries as written, based on the definition of “intrusion software,” would impose a heavy and unnecessary licensing burden on legitimate transactions that contribute to cyber security. Government agencies and private sector cyber security companies routinely test their systems and networks to identify vulnerabilities and, if possible, discover existing malicious attack agents. These companies then provide their clients with threat mitigation tools and strategies. To accomplish this, they use the same tools the controls on intrusion items identify, though their use is authorized by their target. To accomplish their mission, they need to employ tools for computers or networks that have the functional specifications of the control parameters, e.g., avoid detection, defeat protective countermeasures, extract data or information, modify system or user data, and modify the standard execution part of a program or process to execute externally provided instructions. These are exactly the characteristics a successful malicious attacker’s software would have and what the assessment team’s tools need to be able to replicate. During these defensive engagements, members of the assessment team frequently need to create custom scripts (i.e., software programs) to effectively assess the extent of the vulnerabilities by creating exploits, and to determine if a successful attack has taken place or is in progress.

Third, other commenters state that the proposed rule’s controls on technology for the development of “intrusion software” could cripple legitimate cybersecurity research. To address cyber threats, technical information must be shared with experts across the globe. In order to identify and quickly counter threats, the cybersecurity industry relies heavily on collaboration with other companies within and outside of the United States, as well as independent experts around the world. Many of these experts are self-taught, have no prior formal relationship with cybersecurity firms, and, in many cases, may be unknown until they discover a new vulnerability. To address vulnerability, a company must be able to engage in a back-and-forth dialogue with these researchers and experts. Often, the dialogue must include detailed discussion of exactly how a particular vulnerability could be exploited to gain control of a computer; without such discussion it is not possible to evaluate the risk posed by a vulnerability or to fashion an effective and comprehensive defense. Some commenters were concerned that, by subjecting vulnerability research, assessments, and testing to export licensing requirements including classification, screening, and other control elements, the control would limit the ability to fix and patch such vulnerabilities, leading to an overall decrease in the quality of cybersecurity. When vulnerabilities are discovered, they must be reported as soon as possible so that a fix can be developed. This process involves sharing not only the vulnerability and exploit, but also the technical information on how the exploits work, including the technology to develop them.

The commenters had many suggestions regarding how to address their concerns. The Administration will be reviewing all of them and many other ideas for how to address the policy objectives of the control but without unintended collateral harms. As I have said many times in response to questions about the rule, the only thing that is certain about the next step is that we will not be implementing as final the rule that was proposed. In working through this process, we will continue to seek input from those with expertise and equities in cyber security in both the U.S. government and the private sector before deciding in conjunction with its interagency partners what the next step should be. I thus welcome the Subcommittees’ inputs and am prepared to answer any questions you may have.”

The Office of Defense Trade Controls Licensing Reorganizes


By: Brooke Driver

As of April 20, the Office of Defense Trade Controls Licensing has been restructured to reflect the 36% drop in licensing volume and disparity in the volume of cases among the previous divisions resulting from changes made by Export Control Reform. The DTCL has streamlined its divisions to reflect the post-ECR environment and now includes four operational divisions: Space, Missile and Sensor Systems, Electronic and Training Systems, Sea, Land and Air Systems and Light Weapons and Personal Protective Equipment Systems.

Export compliance professionals will not need to adjust application procedures due to the changes; D-Trade will automatically route cases to the corresponding division based on the USML commodities listed in the application.

Click here for more information.

State Department Announces New Requirements for Export of Unmanned Aerial Systems


By: Brooke Driver

The DDTC recently announced a changed policy for licensure to export unmanned aerial systems. According to the new policy, in order to receive a permanent export license for these items from the State Department, applicants must include an additional piece of paperwork to ensure proper use from foreign end users prior to export.

Now, in addition to the required DSP-83, Non-Transfer and Use Certificate, applicants must now include an addendum to paragraph 5 of the DSP-83 to confirm proper use. The addendum is to be signed by both the applicant and the foreign end user.

Keep in mind that this new requirement only applies to permanent exports; temporary exports of UASs will not require the additional addendum.

Click here for the new addendum and for more information.

Commerce/Census: “Tips on How to Resolve AES Fatal Errors”: Fatal Error Response Codes 168 and 538



When a shipment is filed to the AES, a system response message is generated and indicates whether the shipment has been accepted or rejected. If the shipment is accepted, the AES filer receives an Internal Transaction Number (ITN) as confirmation. However, if the shipment is rejected, a Fatal Error notification is received. To help you resolve AES Fatal Errors, here are some tips on how to correct the most frequent errors that were generated in AES for this month.

Fatal Error Response Code: 168

– Narrative: Transportation Reference Number Ineligible

– Reason: The Transportation Reference Number reported is ineligible.

– Resolution: The Transportation Reference Number cannot be reported as “UNKNOWN” or have any value not found on the standard keyboard. Verify the Transportation Reference Number, correct the shipment and resubmit.

Fatal Error Response Code: 538

– Narrative: Shipping Weight Must Be Greater Than Zero For MOT

– Reason: The Mode of Transportation Code reported was one that identifies a Vessel, Rail, Truck, or Air shipment and the Shipping Weight was not reported.

– Resolution:   When the Mode of Transportation is Vessel, Rail, Truck or Air, the Shipping Weight must be reported. Verify the Mode of Transportation and Shipping Weight, correct the shipment and resubmit.

For a complete list of Fatal Error Response Codes, their reasons, and resolutions, see Appendix A – Commodity Filing Response Messages.

It is important that AES filers correct Fatal Errors as soon as they are received in order to comply with the Foreign Trade Regulations. These errors must be corrected prior to export for shipments filed predeparture and as soon as possible for shipments filed postdeparture but not later than five calendar days after departure.

For further information or questions, contact the U.S. Census Bureau’s Data Collection Branch.

Telephone: (800) 549-0595, select option 1 for AES





BIS Amends Six ECCNs to Comply with MTCR Annex


By: John Black

In the April 7, 2015 Federal Register, the Bureau of Industry and Security revised 6 ECCNs, so that the Commerce Control List will conform the pertinent sections of the current Missile Technology Control Regime Annex.  The revised ECCNs are 1C111, 3A101, 9A106, 9A110, 9A604 and 9A610.

ECCN 1C111

  • BIS corrected an error in paragraph a.1 in the List of Items Controlled section to correct an omission error in the referenced ISO standard.
  • BIS clarified 1C111 by adding Chemical Abstract Service (CAS) Numbers to accurately identify each of the chemicals listed in the Technical Note to paragraph b.5 and paragraphs d.7, d.14 and d.18 in the List of Items Controlled.

ECCN 3A101

  • BIS revised paragraph a.2.a to remove paragraph a.2.a.1 and revised paragraph a.2.b to remove paragraph a.2.b.1 in the List of Items Controlled section, because the quantization requirement was removed in the MTCR Annex.  BIS also predesignated the paragraphs in 3A101 to be consistent with the already-mentioned substantive changes.

ECCN 9A106

  • BIS revised 9A106.d and the Note to 9A106.d, so that it controls gel propellant in addition to the already controlled liquid and slurry propellants and to clarify the controls.
  • BIS revised 9A106.d to clarify only servo valves, pumps and gas turbines that are specified under paragraphs a., b., or c are classified under 9A106.d.
  • BIS revised the Note to 9A106.d to clarify the control applies at the “maximum operating mode” of the already-existing 8,000 rpm parameter.
  • BIS also revised the Note to 9A106.d by adding to a new paragraph c. to specify that gas turbines, for liquid propellant turbopumps, with shaft speeds of 8,000 rpm or more at the maximum operating mode are also controlled under 9A106.d.

ECCN 9A110

  • This final rule revises and clarifies the previously “slightly convoluted” heading 9A110.  This change, along with the additions of 9A604.f and 9A610.t (see below), is intended to make it easier to understand where the CCL controls composite materials for commercial UAVs (under 9A110) and composite materials for military UAVs (under 9A604.f and 9A610.t).

ECCN 9A604 

  • BIS added a new paragraph 9A604.f to control composite structures, laminates and manufactures thereof ‘‘specially designed’’ for the items controlled under USML Category IV that are specified in paragraphs f.1–f.7. Such commodities previously were classified under ECCN 9A604.x. The purpose of this change is to allow a clearer identification of these commodities and for the designation of MT license requirements.
  • The ‘‘MT’’ control in the Reason for Control paragraph in the License Requirements section does not apply to 9A604.f.

ECCN 9A610

  • BIS added a new paragraph 9A610.t to control composite structures, laminates and manufacturers thereof ‘‘specially designed’’ for unmanned aerial vehicles controlled under USML Category VIII(a) with a range equal to or greater than 300 km. 9A610x  previously controlled these items.  The new 9A610.t is intended to allow a clearer identification of these commodities and also for consistency with the MTCR Annex.
  • BIS also makes two conforming changes in the 9A610 Reason for Control paragraph. First, this final rule revises the ‘‘NS’’ control to add the new 9A610.t to the list of 9A610 commodities that are not subject to the ‘‘NS’’ control. Second, this final rule revises the ‘‘MT’’ control to add 9A610.t to the MT control.
  • BIS removed the 9A610 Related Controls paragraph (2), because it is no longer needed, due to the revisions made to 9A110, 9A604 and 9A610.

To see a copy of the Federal Register notice, go to

When Export Practices Cross the Line: Hidden Foreign Corrupt Practice Act (FCPA) Violations Can Hurt You


By: Stephen Wagner

Your company exports and ships its products all over the world through a small, local third-party logistics provider. The export manager at the shipping company, who is a close personal friend, has been handling your company’s products for years and has been doing a perfect job. The products arrive at your foreign customer locations on time, without problems, and you just pay the invoices for the shipping costs without question. In fact, international shipping is the one part of your company’s operations at which you have never needed to take a second look.

Until today… Today two special agents from Homeland Security Investigations (HSI) arrived at your office to ask about your company’s export activities. They were vague about the nature of the investigation, but asked a lot of questions about your shipping practices. As they were leaving, they handed you a subpoena for five years’ of export records. You started gathering your documents together and now, reviewing your export shipping invoices for the first time in years, you see line items and charges for a “Customs Clearance Fee” in certain countries and an “Import Commission” in other countries. When you called your friend at the shipping company to ask about these charges, he said that the receiving shipping companies in these countries must pay these fees “so your products can sail through customs.”

What are you really seeing when you look at these charges?

Depending on the exact nature of these payments, you may end up seeing federal criminal charges.

The Foreign Corrupt Practices Act, as amended (15 U.S.C. §§ 78dd-1, et seq.) (“FCPA”), was enacted in 1977 and makes it illegal for U.S. companies (including their foreign affiliates) to make payments to foreign government officials. The “anti-bribery provisions” of the FCPA prohibit “any offer, payment, promise to pay, or authorization of the payment of money … directly or indirectly, to a foreign official to influence the foreign official in his or her official capacity, induce the foreign official to do or omit to do an act in violation of his or her lawful duty, or to secure any improper advantage[.]” 15 U.S.C. § 78dd-1(a). Additionally, the “accounting provisions” of the FCPA require companies whose securities are listed in the United States to “make and keep books and records that accurately and fairly reflect the transactions of the corporation” and “devise and maintain an adequate system of internal accounting controls[.]” 15 U.S.C. § 78m(b)(2).

Yet, the world of international business is not so black and white. There are myriad court cases, attorney general opinions and legal theories that seek to define a “foreign official.” While someone working for a foreign government (like a uniformed foreign customs officer) is clearly such an “official,” what about employees of a nationalized, or government-owned company? What about employees of private companies that conduct government functions (such as processing customs paperwork) under a contract with the government? What about agents, consultants or lobbyists who “grease” the foreign government processes on your behalf?

Furthermore, recognizing that sometimes payments must be made to foreign government officials just to move paperwork along or obtain routine approvals, the anti-bribery provisions of the FCPA contain an exception for “facilitating payments.” This narrow exception applies to payments made for non-discretionary actions, like processing customs paperwork or import permit applications; actions which would take place even without the payments, but would probably take much longer to occur.

Therefore, looking at your company’s “Customs Clearance Fee” or “Import Commission,” several critical questions arise: who is being paid, and for what?

Even if you think you have found the logical answers to these questions, you will need to consult with your company’s general counsel or a qualified outside attorney, because you may not be able to interpret these answers correctly. Indeed, sometimes, the law does not apply logically to the way businesses operate, and sometimes, the language used in the statutes and regulations can be ambiguous or subject to multiple interpretations. For example, if you think the “fee” or “commission” would qualify as a facilitating payment, the U.S. government’s FCPA Guidance warns, “while the payment may qualify as an exception to the FCPA’s anti-bribery provisions, it may violate other laws, both in Foreign Country and elsewhere. In addition, if the payment is not accurately recorded, it could violate the FCPA’s books and records provision.”

And you cannot stop your investigation with just these “fees” and “commissions,” because no federal government investigation will stop there either. Many exporters may pay intermediaries to obtain business in foreign countries. Whether these payments to “middlemen” are labeled as “sales commissions” or “distribution fees” or “licensing payments,” they may all still be bribes as that term is interpreted by enforcement agencies under the FCPA.

As an example of how broadly the FCPA can be interpreted, in May 2014 a federal appeals court ruled in the case of United States v. Esquenazi (752 F.3d 912 (11th Cir. 2014)), that the FCPA’s definition of “foreign official,” which includes “any officer or employee of a foreign government or any department, agency, or instrumentality thereof,” also includes officials working for “an entity controlled by the government of a foreign country that performs a function the controlling government treats as its own.” Esquenazi, 752 F.3d at 925. Therefore, if your company is doing business with a foreign state-owned or state-controlled business, certain payments to officials of that foreign company could be illegal under the FCPA, because such businesses can be interpreted as being “instrumentalities” of the foreign government.

It is also important to note that FCPA enforcement is expected to be on the rise in 2015. Violations of the FCPA can result in criminal and/or civil charges from the U.S. Department of Justice (DOJ) and (if your company is a “reporting company” under the Securities Exchange Act of 1934) civil or administrative cases from the U.S. Securities and Exchange Commission (SEC). While enforcement actions by these two agencies had been relatively stable over the last three years, there has been a recent uptick in the number of potential FCPA violations reported to the U.S. government. This is due in large part to stronger anti-corruption laws and enforcement measures around the globe, which is increasing corporate awareness of anti-bribery issues. As companies are reporting more to the enforcement agencies, actions under the FCPA should increase as well.

And the stakes in FCPA compliance measures and enforcement actions can be enormous. For 2014, the average value of monetary resolutions in government FCPA enforcement actions against corporations was over $150 Million. And those are just the fines and penalties. On the compliance side the costs can be staggering for businesses as well. In one well publicized case, Walmart self-reported possible FCPA violations to the DOJ and SEC after a New York Times investigation. According to filings with the SEC, Walmart is now spending between $10 Million and $35 Million per quarter for its “global [anti-bribery and anti-corruption] compliance program and organizational enhancements.” In its fiscal 2014 Global Compliance Program Report, Walmart reported it had spent an overall total of $439 million in legal fees and other costs associated with the on-going investigations of alleged FCPA violations, and to revamp its global compliance protocol.

While smaller companies may not have the breadth of operations (and the financial resources) of Walmart, having an effective and robust FCPA compliance program is just as critical. A combination of a strong, written program together with its robust use and periodic audits can help prevent exactly the type of situation that has befallen the company in the scenario above. Moreover, an effective FCPA program can be a critical factor in mitigating possible penalties in any FCPA enforcement action that may arise.

So what does this mean for your company? In the short-term, you should conduct an immediate self-assessment to check foreign transactions for both export violations and FCPA violations. It is common for a company lacking in FCPA internal controls to also be lacking in effective export controls and vice versa. (You also need to have legal counsel carefully review all of the responsive subpoena documents for possible export and/or FCPA violations.) In the long-term, your company must become more vigilant with respect to FCPA issues. Your company’s overall compliance program must address anti-corruption and anti-bribery programs, just as company contracts with foreign entities or with respect to export-related operations should contain standard provisions requiring FCPA compliance.