Archive for the ‘BIS’ Category

BIS Adds New Controls in the CCL on Integrated Circuits, Helicopter Landing Systems Radars, Seismic Detection Systems and Technology for IR Up-Conversion Devices

Monday, November 24th, 2014 by Brooke Driver

Source: Federal Register

The Bureau of Industry and Security (BIS) amended the Export Administration Regulations (EAR) to impose foreign policy controls on read-out integrated circuits and related “software” and “technology,” radar for helicopter autonomous landing systems, seismic intrusion detection systems and related “software” and “technology”, and “technology” “required” for the “development” or “production” of specified infrared up-conversion devices.

The read-out integrated circuits and related “technology” are controlled under new Export Control Classification Numbers (ECCNs) on the Commerce Control List. An existing ECCN has been amended to control the related “software” for those items.

New paragraphs have been added to certain existing ECCNs to control radar for helicopter autonomous landing systems, seismic intrusion detection systems, and the “technology,” as mentioned, for specified infrared up-conversion devices. Specified existing “software” and “technology” ECCNs have been amended to apply to helicopter autonomous landing systems and seismic intrusion detection systems.

The items are controlled for regional stability reasons Column 1 (RS Column 1) and Column 2 (RS Column 2), and antiterrorism reasons Column 1 (AT Column 1).  For more information, go to http://www.bis.doc.gov/index.php/regulations/federal-register-notices#79fr66288.

 

BIS Imposes $750,000 Fine on Intel Sub Wind River Inc. for Violations of Encryption Export Rules—Really?

Monday, November 24th, 2014 by Brooke Driver

By: Felice Laird

I must admit to a shudder of excitement and disbelief when I visited the BIS homepage recently and noticed a banner ad announcing a fine against an “Intel subsidiary for violations of encryption export regulations.”  I am one of the original crypto export geeks, having followed the tortured evolution of the controls from the late 1990′s through the creation and mutations of License Exception ENC, to today’s largely self-policing paradigm.  And I had never heard of a company being investigated or fined for violations in connection with an encryption export–until now.  And so, I wonder, why this, why now?

First, let me give the standard disclaimer;  I have no knowledge of this case other than what I have read in the documents released by BIS, namely, the Press Release, the Proposed Charging Letter, the Settlement Agreement and the Order.  These documents were prepared and issued by BIS, and they reflect only Commerce’s side of the story.  In fact, BIS has ordered the companies involved not to say anything publicly about the case, especially not to deny any of the charges, so we will never get the other side of the story.  The documents give clues as to what the violations were, when they occurred, how the Department found out about them and what the specific punishment is.  What is not clear is why, for the first time in 15 years, BIS came out with a public and painful punishment of a large U.S. company for encryption software exports.

For the export compliance professional, there are several really important things to note when reading the documents.  Here are some of them:

  • Wind River Systems is a subsidiary of Intel that was formed after Intel bought Wind River’s assets (and liabilities!) in 2009.  So, the important take away is that there is “successor liability,” and the government will go after a company for an acquisition’s export violations.  So, ask to be at the table in M&A talks.
  • The statute of limitations for the early violations had run out, but BIS made the company waive the statute somewhere along the line, so that the violations count.
  • The company submitted a Voluntary Self Disclosure that up until now (when done in connection with an encryption violation) usually leads to a nasty gram from BIS but no fines.
  • BIS issued a gag order in the Settlement Agreement prohibiting Wind River from saying anything about the case.
  • The Settlement agreement states that Wind River has to pay up in 30 days, or else they won’t be allowed to use any licenses or exceptions.

From my perspective, enforcement actions are useful training tools.  It is always a “better sell” when I am talking to companies about the risks involved in non-compliance when I have a good enforcement case to present as an example.  And indeed, I have had more than one awkward moment when talking with tech executives and developers who ask me to come up with evidence that the encryption controls are worth compliance measures.  Sometimes, I have to appeal to their patriotism as a last resort.  It is good to know that BIS cares enough about encryption export controls to go after non-compliant companies.

Lately though, I have been seriously questioning the rationale for maintaining export controls on commercial products that use encryption, since the disclosures made regarding NSA surveillance by Edward Snowden last year.  If NSA can intercept and decipher 99 percent of data transmissions, how can the USG continue to maintain that the encryption regs are necessary to support the intelligence community?

The better answer is that Category 5 Part II is synced in most respects to the Wassenaar list and the U.S. is obligated to maintain controls to honor commitments made to the Wassenaar member states.  And it is clear that efforts have been made by at least three of the most powerful delegations (U.S., France and the UK) to shore up controls on “cyber security” products, as they actively considered this at the December 2013 Plenary. (BIS deferred publication of CCL changes, affecting “cyber security” products, agreed to at the December 2013 plenary – indicating that these would be published in September, which has come and gone with no reg in sight.)

So, Wassenaar member states have had controls on encryption too.  But no country has a byzantine regulatory scheme comparable to that maintained by the U.S.  Over the years, License Exception ENC has morphed into a virtually inexplicable licensing loophole.  And so we wonder–should companies really have to continue funneling information to BIS and NSA by way of Classification Requests and Classification reports?  Does NSA really use any of the information?  Does anyone actually read the self-classification reports? ENC shipping reports?

In the few cases over the years that someone from NSA has shown up in daylight to an industry meeting, I always ask the question and get the answer that, yes, the information it gleans from the classification requests and reporting process is still necessary.  I must admit, I have never really bought that story, but that remains part of the answer to the why question.

That brings us back to the timing issue.  The press has widely reported the steps that the information technology industry has been taking to harden products and networks using cryptography and other security technologies to protect customer information from access by government agents.  Perhaps the Wind River case was meant to be a reminder to the industry that the U.S. Government still has the power to regulate which technologies are deployed internationally.

Kintetsu World Express Agrees to $30,000 Fine for Exporting to Chinese Entity on the SDN List

Monday, November 24th, 2014 by Brooke Driver

By: Brooke Driver

Kintetsu World Express of East Rutherford, New Jersey, has settled for $30,000 with BIS for a violation taking placing in May 2010. The settlement agreement states that KWE stands accused of acting as a freight forwarder for the China National Precision Machinery Import/Export Corporation locating in Beijing.  Apparently, KWE transported three spiral duct production machines and related accessories to the CNPMIEC, an entity placed on the Specially Designated Nationals and Blocked Persons List in 2006 for supplying Iran’s military and Iranian proliferators with missile-related dual-use items, without performing the proper screening—or, in fact, any screening at all.

It seems that BIS chose to enforce only a fairly low fine due to the facts that there was only one charge against KWE and the violation appears to have been purely a mistake, rather than an intentional avoidance of U.S. law. However, this case acts as an example to exporters everywhere that you will be held accountable and suffer the consequences for mistakes resulting purely from ignorance. It is essential that you incorporate regular screening against blocked parties lists into your compliance program.

Hong Kong Company Pays $4.5 Million for Violations

Monday, November 24th, 2014 by Brooke Driver

By: Brooke Driver

In September, BIS announced its decision to settle with Hong Kong’s United Sources Industrial Enterprises over its 39 charges of reexport violations. According to the Department of Commerce, between June 2006 and June 2007, USIE reexported illegally items subject to the regulations to Atlinx Electronics and Mayrow General Trading on ten occasions; any export transaction with either of these entities requires a license.

To make matters worse, USIE purposely evaded the regulations between the dates of July 9, 2007 and November 5, 2007 by sharing U.S. supplier and transaction information with affiliate Creative Electronics, also located in Hong Kong. USIE was aware of the fact that it was a designated company in General No. 3, and therefore, penalties would be imposed for U.S. companies that chose to do business with USIE. The company committed 29 separate violations by sharing U.S. transaction and supplier information with Creative Electronics and allowing that entity to act for USIE.

Based on these charges, BIS demanded a $400,000 civil settlement, withholding the additional (and significantly scarier) $4.1 million fine, assuming that USIE commits no more export violations in the next five years.

Commerce Department Tells Specific Exporters Not to Use STA for Arabsat

Monday, November 24th, 2014 by Brooke Driver

By: John Black

Over the past month or so, the Bureau of Industry and Security in the US Department of Commerce has been sending letters to individual exporters informing them that they may not use License Exception STA to export for 9X515 items for use in the Arab Satellite Communications Organization (Arabsat) 6th Generation satellite project.  BIS sent the letters to individual addresses of specific exporters, and not necessarily to their corporate headquarters.  If a single location of your corporation received this notice, it should be passing the warning on to all other locations who could be involved in similar activities.

If your location received this letter, you would be well advised to share it with any other location of your corporation that may be dealing with Arabsat 6th Generation satellite.  Nothing in the letter says, after all, that it is applicable only to the location at the address at the top of the letter.

Venezuela Joins Russia and China in the EAR Military End Use (User) Controls Club

Monday, November 24th, 2014 by Brooke Driver

By: John Black

The US Bureau of Industry and Security has added Venezuela to the list of countries subject to special military end-use (user) controls.  EAR 744.21 imposes controls on exports/reexports of certain ECCNs to “military end-uses” in the PRC.  744.21 imposes control on exports/reexports of certain ECCNs to “military end-uses” and “military end-users” in Russia.  Venezuela is now subject to the same rules that were already applicable to Russia, and which are broader than the rules applicable to the PRC, because the PRC rule does not prohibit delivery to “military end-users.”

An often overlooked critical aspect of the PRC, Russia and Venezuela rules are that they apply only uses that fall within the EAR definition of “military end-use” and only to users (for Russia and Venezuela only) military end-users” as defined in the EAR.  Many exporters make the mistake of assuming the rules use a common sense definition of military end-use and military end-user, but that is not the case.  For example, military end-use rules may apply in cases where you deliver to a manufacturer in China and the military end-user rule may apply in cases where you deliver items to the national police in Russia.  The other common mistake is that some people assume the rules are applicable to all EAR items, when, in fact, the rules apply only to those items identified in Supp. 2 to 744 of the EAR, which, for example, does not include EAR99 items.

“Military end use,” as defined in 744.21, includes delivery to activities involving the production of military items (on the USML, the Wassenaar Munitions List or in xx018 of 600 series ECCNs in the CCL), but does not include a complete ban on delivery to military entities, as it focuses on the nature of the end use, not on the end user.

The military end user rule for Russia and Venezuela is a complete ban on delivery of the items in Supp. 4 to “military end users,” which is defined to include national armed services (army, navy, marine, air force or coast guard), as well as the national guard and national police, government intelligence or reconnaissance organizations or any person or entity whose actions or functions are intended to support “military end uses” as defined in 744.21.

If you already have procedures in place to comply the long standing rules for China and the new rules for Russia, just update your procedures to apply to Venezuela the same procedures you use for Russia.  If you don’t have procedures for China or Russia, this Venezuela rule will spurn you to get something in place ASAP.

For more information go to: http://www.bis.doc.gov/index.php/regulations/federal-register-notices#79fr66288

BIS Adapts December 2013 Wassenaar List Changes

Tuesday, October 7th, 2014 by Brooke Driver

By: Brooke Driver

BIS announced on the 25th of July that it was making changes to the CCL to incorporate revisions to the Wassenaar Arrangement’s List of Dual-Use Goods and Technologies that took place at the plenary meeting last December. This rule harmonizes the CCL with the changes made to the WA List by revising ECCNs controlled for national security reasons in each category of the CCL, amending the General Technology Note, WA reporting requirements and definitions section in the EAR. BIS stated that it intends to publish a separate rule this month regarding changes to the Commerce Control List related to WA agreements for cybersecurity. The rule came into effect August 4.

BIS Lets ECCN 0Y521 Controls on Biosensor Systems Lapse

Tuesday, October 7th, 2014 by Brooke Driver

By: Brooke Driver

BIS announced a final rule amending the EAR by removing biosensor systems and related software and technical data from the list of items controlled in 0Y521.  The 0Y521 ECCNs are intended to temporarily control items the h the Commerce Department has determined should be controlled but for which there are no existing ECCNs.  Generally speaking, BIS gives itself one year to create a new ECCN or a new paragraph in an existing ECCN to control 0Y521 items—this is not a hard due date, as BIS reserves the right to create a rule postponing the date of reclassification, if necessary. However, if BIS neglects to reclassify these items within the time frame or release a rule allowing more time, they will automatically be designated as EAR99. BIS, finally, points out that this rule removes references to biosensor systems and related “software” and “technology” from the supplement, as these items have already been designated EAR99. The rule came into effect August 4, 2014.

The Export Compliance Manual: One Size Does Not Fit All

Thursday, August 28th, 2014 by Brooke Driver

By: Stephen Wagner

You are so confused.

BIS Agents were in your office conducting an “industry outreach.”  They spoke with your export managers and scanned through your export records and training program materials.  However, when they reviewed your export compliance manual, they said that it was inadequate and that your company could face higher penalties because of it, if violations are found.

When your company created the manual three years ago, they precisely followed and used the outline and sample forms for export compliance manuals that were given by BIS on its own website.  Since you followed their forms to the letter, how can you be non-compliant?

Simply put: when it comes to export compliance manuals, one size does not fit all.

The Bureau of Industry and Security (BIS) (the Department of Commerce’s export control office) has developed and published “Compliance Guidelines: How to Develop an Effective Export Management and Compliance Program and Manual.”  Within the contents of this 145-page document, BIS delineates the “Key Elements” necessary for export compliance programs in general and, more specifically, the manuals that are supposed to capture the policies and procedures that underlie those programs.

Yet, as informative and helpful as these Compliance Guidelines can be, they are just that – guidelines.  BIS stresses the importance of customizing the contents of your compliance manual (and program) to reflect your company’s operational realities and meet your company’s specific needs.

For example, if your company sends its technicians (and their equipment) out to overseas clients and customers to perform training, maintenance, repairs and warranty replacements, your compliance manual should specifically address the controls you have put in place to safeguard – and license, when necessary – the equipment, software, technical drawings and knowledge that goes out with them.  While the BIS-provided manual outline addresses “Nuclear explosive activities” and end-use checks for “Certain Rocket Systems and Unmanned Air Vehicles,” those sections are probably irrelevant for most companies and can be omitted from the export compliance manual.

Your company needs to reevaluate your compliance manual to see if the manual does such things as:

  • capture the company’s current operations and work-flows,
  • provide standard operating procedures (SOPs) for compliance activities and safeguards during each step of the export process,
  • allocate specific compliance tasks to specific responsible personnel, and
  • involve all levels of the company from the senior executives responsible for operations all the way down to the people working the loading dock.

In addition, your compliance manual should contain features that are not even included in the BIS Guidelines.  For example, your manual could contain, if applicable, SOPs to identify and prevent foreign corrupt practices, such as improper payments to foreign government officials.  Also, every manual should have procedures on how to respond to enforcement activities such as investigations, subpoenas and an announced or unannounced “industry outreach,” which is just an enforcement action in disguise.

You can also think outside the box when it comes to an export compliance manual.  The “manual” does not have to be a three-ring binder on a bookshelf.  An effective manual can also be well-documented checks and balances that are integrated into your automated processes.  For example, when entering the “ship to” name on a packing list, a pop-up window can ask whether the employee has checked the consignee’s name against screening lists promulgated by the various export control agencies.  Many enterprise accounting, logistics, and inventory control solutions can incorporate such control features into company operations.

Most critically, your export compliance manual needs to be a living, breathing document.  A manual created three years ago that has sat on a shelf almost invariably is outdated.  The company must have procedures in place for reviewing and updating the compliance manual no less than annually.  Employees need to be trained on how to use the manual (and report needed corrections to SOPs).  Finally, the manual needs to be in harmony with – and accurately reflect – the overall export compliance program for the company.

The importance of having an up-to-date, dynamic export compliance manual cannot be underestimated.  As special agents from the BIS Office of Export Enforcement will tell you, having a current manual (as part of the overall compliance program) is accorded “great weight” by BIS as a mitigating factor in possible export penalties and sanctions.  In contrast, an out-of-date manual speaks of an export compliance program that probably is not being adequately implemented by a company.

Commerce/Census: “Tips on How to Resolve AES Fatal Errors”

Thursday, August 28th, 2014 by Brooke Driver

Source: AES Broadcast #2014060

When a shipment is filed to the AES, a system response message is generated and indicates whether the shipment has been accepted or rejected. If the shipment is accepted, the AES filer receives an Internal Transaction Number (ITN) as confirmation. However, if the shipment is rejected, a Fatal Error notification is received.

To help you resolve AES Fatal Errors, here are some tips on how to correct the most frequent errors that were generated in AES for this month.


Fatal Error Response Code: 561

Narrative: DDTC License Number Unknown

Reason: The License Code/ License Exemption Code reported requires a Department of State/ Directorate of Defense Trade Controls (DDTC) license number, but the DDTC license number reported is unknown in AES.

Resolution: The DDTC license number reported must be valid in AES.

Verify the DDTC license number, correct and resubmit.


Fatal Error Response Code: 590

Narrative: Shipment Value Exceeds Available Value for License

Reason: The License Code/ License Exemption Code reported was DDTC S05 for a DSP-05 license, but the Value reported exceeds the value remaining on the license.

Resolution: The DSP-05 license has not been decremented because the Value reported exceeds the value amount remaining for that license.

Verify the Value, correct and resubmit.

For further assistance, contact the licensing agency. The Department of State/ Directorate of Defense Trade Controls / DDTC Help Desk can be reached on 202-663-2838.