Revision 4.3 of the Guidelines for Preparing Agreements has been posted on the DDTC website. Download the document at http://pmddtc.state.gov/licensing/documents/AG_Rev%204.3.pdf.
Archive for the ‘Export License’ Category
By: Danielle McClellan
Chemical Partners Europe (CPE) S.A. of Brussels, Belgium has been charged with 6 counts of Evasion after exporting coatings, pigments and paints from the US to their facility in Brussels and then to Iran. The exported items were suitable for use in nuclear facilities and had marine applications, making them subject to the Export Administration Regulations (EAR) as well as the Iranian Transactions Regulations (Governed by the Department of Treasury’s Office of Foreign Assets Control (OFAC)).
Between January 2010 and March 2011, the company purchased the coatings, pigments and paints, valued at $244,358, from a US company and concealed the fact that the ultimate destination was actually Iran. The shipper’s export declarations filed listed CPE as the ultimate consignee and Belgium as the country of ultimate destination. Once CPE received the items they transferred them directly to Iran without proper authorization.
CPE has agreed to pay $350,000 to settle the charges; they will not be debarred. Charging Letter
By: Danielle McClellan
Richard Wyatt, owner of Gunsmoke, a firearm store in Wheat Ridge, Colorado has been indicted and arrested on several charges of conspiracy, dealing firearms without a license, and tax related charges. Gunsmoke was featured in the reality show, American Guns, on the Discovery Channel from 2011 through 2012. The show basically mixed the haggling of Pawn Stars with gun customizations and machine gun sales.
In April 2012, Wyatt and Gunsmoke, surrendered their Federal Firearms Licenses (FFL) after violations of federal laws and regulations (tax issues have been presumed). In order to get around the issue of not having a FFL Gunsmoke changed the address of a store known as Triggers Firearms LLC and used it as a straw licensee. Gunsmoke never held an ownership interest in Triggers and Wyatt submitted false paperwork to the ATF to hide this fact.
During April 1, 2013 to March 31, 2015, no person/employee of Gunsmoke was licensed to engage in the business of dealing firearms. Wyatt directed all employees to ring up sales of firearms as “miscellaneous” sales to get around this issue. To further conceal sales and gunsmithing services customers would physically pay for the firearms and services from Gunsmoke but would then be sent to another firearm store (which had a valid FFL) where they would fill out their background check paperwork and take procession of the firearm purchased from Gunsmoke.
At this time Wyatt faces the following charges:
- Two counts of conspiracy (each count carries not more than 5 years in prison and up to $250,000 fine)
- Three counts of dealing in firearms without a license (each count carries not more than 5 years in prison and up to $250,000 fine)
- One count of filing a false tax return (carries not more than 3 years in prison and up to a $100,000 fine)
- Seven counts of failure to file a tax return (each count carries not more than one year in federal prison and up to a $25,000 fine)
(Source: Homeland Security Committee) Author: Kevin J. Wolf, Assistant Secretary of Commerce for Export Administration.
Transcript of statement:
“Thank you, Chairmen Hurd and Ratcliffe, and Ranking Members Kelly and Richmond.
The Wassenaar Arrangement is a 41-member export control group in which the United States participates. It was established to contribute to regional and international security and stability by promoting greater responsibility in the transfer of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations of such items. Participating States maintain a common control list of items warranting control for these reasons and seek, through their national policies, to ensure that transfers of these items do not contribute to the development or enhancement of military capabilities that undermine these goals, and are not diverted to support such capabilities. The list of such items is developed and updated by the Participating States through consensus determinations, generally made at the end of each year. …
In December 2013, Wassenaar approved new export controls on “command and delivery platforms” for “intrusion software” and related technology. Specifically, the entries in Category 4 (Computers) of the Wassenaar dual-use control list would control non-publicly available software (4.D.4.) that generates, operates, delivers, or communicates with “intrusion software.” “Intrusion software” is defined as software designed to covertly gain access to a computer or other networked device and, once inside, to extract or modify data or modify the execution path of the device to allow the execution of externally provided instructions. Related hardware and technology entries (4.A.5. and 4.E.1.c.) control systems and equipment for generating, operating, delivering, or communication with “intrusion software,” and technology for developing “intrusion software.” The original proposal for these controls came from another Wassenaar member nation in 2012. Examples of the types of commercial hacking software intended to be captured by this control include those offered by Hacking Team (Italy), Gamma/Fin-Fisher (Germany), and Vupen (France).
The controls were novel in that they were the first foray by a multilateral export control community into the area of offensive cyber tools. The agreed-upon entries covering software intentionally excluded “intrusion software” itself — that is, certain kinds of malware — from control because of a general understanding that everyone with a computer or mobile device infected by such malware or “exploits” could become an unwitting “exporter” of it (e.g., by forwarding an infected e-mail to someone in another country). The technology entry, however, imposes controls on non-publicly available technology for the development of such software as well as on technology for the development of the controlled delivery systems. …
In order to not take an action that would inadvertently harm our nation’s ability to engage in critical cyber defense and related research work, we decided in May 2015 to take the unprecedented step of publishing these Wassenaar control list entries as a proposed rule, with a request for private sector comments, rather than as a final rule. Our hope was that the private sector comments would give us a better sense for whether the rule would have unintended impacts on our cyber defense and cyber research ecosystems. All dual-use controls have consequences and impose costs on the private sector. That is the nature of controls. This one, however, was different because the impact would be not just on the economic bottom-line of U.S. companies, but on our government’s and our nation’s ability to share efficiently and quickly the types of technology necessary to conduct cyber defense and related research.
Immediately following publication of the proposed rule, Commerce received questions from U.S. private sector and others in the U.S. Government about the intended scope of the controls. In order to ensure that comments were informed and responsive to the proposed controls set forth in the rule, Commerce published answers to a list of “frequently asked questions” on its website to address what we determined were regular queries in order to encourage more focused and more useful public comments. It was clear from these initial questions that the terminology used in the control list entries and the proposed rule were understood differently by the cybersecurity community than by the export control agencies and the Wassenaar Participating States. By the end of the 60-day comment period, Commerce had received more than 260 comments, virtually all of them negative. Some commenters took the view that the underlying control at Wassenaar could not be implemented without causing significant harms to cybersecurity. Others made specific recommendations on ways to mitigate many of the concerns. Some praised the underlying objectives of the rule, while nonetheless proposing modifications to the scope of the proposed regulation, such as through license exceptions and definitions, to reduce the impact of unintended consequences. …
Neither the Commerce Department nor the Administration has reached a conclusion about how to respond to the public comments. We are still reviewing and considering them. Importantly, all U.S. Government agencies with expertise and equities in cyber defense research and related work are reviewing the comments and will provide input as a next step, before we make a decision on what to do about the proposed rule. As requested by your committees, I can, however, summarize the essence of the comments – reiterating that the Administration has not come to any final conclusions regarding how to respond to the comments or to the extent to which they are correct technically. The public comments, including presentations at technical advisory committee meetings during the past three months, focus on three main issues.
First, some commenters asserted that the proposed regulation’s definition of “intrusion software” is too broad and, as a technical matter, fails. They assert that malware recovery tools would be caught by the entries because they interact with malware to regain control of an infected system, and some defense research tools would be caught because they analyze malware to develop new defensive products. They also assert that products that patch systems or add capabilities to programs would themselves be controlled under these entries because of the way they interact with or manipulate programs. These products are integrated with the hardware (systems, equipment, and components) and are designed to legitimately bypass or defeat protections, modify the standard execution path of software, and access data. According to the commenters, they would often thus be software for the generation, operation, delivery of or communication with “intrusion software” and caught by the new controls.
Second, other commenters contend that the proposed rule to implement the control list entries as written, based on the definition of “intrusion software,” would impose a heavy and unnecessary licensing burden on legitimate transactions that contribute to cyber security. Government agencies and private sector cyber security companies routinely test their systems and networks to identify vulnerabilities and, if possible, discover existing malicious attack agents. These companies then provide their clients with threat mitigation tools and strategies. To accomplish this, they use the same tools the controls on intrusion items identify, though their use is authorized by their target. To accomplish their mission, they need to employ tools for computers or networks that have the functional specifications of the control parameters, e.g., avoid detection, defeat protective countermeasures, extract data or information, modify system or user data, and modify the standard execution part of a program or process to execute externally provided instructions. These are exactly the characteristics a successful malicious attacker’s software would have and what the assessment team’s tools need to be able to replicate. During these defensive engagements, members of the assessment team frequently need to create custom scripts (i.e., software programs) to effectively assess the extent of the vulnerabilities by creating exploits, and to determine if a successful attack has taken place or is in progress.
Third, other commenters state that the proposed rule’s controls on technology for the development of “intrusion software” could cripple legitimate cybersecurity research. To address cyber threats, technical information must be shared with experts across the globe. In order to identify and quickly counter threats, the cybersecurity industry relies heavily on collaboration with other companies within and outside of the United States, as well as independent experts around the world. Many of these experts are self-taught, have no prior formal relationship with cybersecurity firms, and, in many cases, may be unknown until they discover a new vulnerability. To address vulnerability, a company must be able to engage in a back-and-forth dialogue with these researchers and experts. Often, the dialogue must include detailed discussion of exactly how a particular vulnerability could be exploited to gain control of a computer; without such discussion it is not possible to evaluate the risk posed by a vulnerability or to fashion an effective and comprehensive defense. Some commenters were concerned that, by subjecting vulnerability research, assessments, and testing to export licensing requirements including classification, screening, and other control elements, the control would limit the ability to fix and patch such vulnerabilities, leading to an overall decrease in the quality of cybersecurity. When vulnerabilities are discovered, they must be reported as soon as possible so that a fix can be developed. This process involves sharing not only the vulnerability and exploit, but also the technical information on how the exploits work, including the technology to develop them.
The commenters had many suggestions regarding how to address their concerns. The Administration will be reviewing all of them and many other ideas for how to address the policy objectives of the control but without unintended collateral harms. As I have said many times in response to questions about the rule, the only thing that is certain about the next step is that we will not be implementing as final the rule that was proposed. In working through this process, we will continue to seek input from those with expertise and equities in cyber security in both the U.S. government and the private sector before deciding in conjunction with its interagency partners what the next step should be. I thus welcome the Subcommittees’ inputs and am prepared to answer any questions you may have.”
(Source: firstname.lastname@example.org, 14 Jan 2016)
This message is not intended for filers using AESWebLink and AESDirect EDI Upload. It is strictly for the attention of filers using the legacy AESDirect portal at aesdirect.census.gov and the AESPcLink application.
The Refactored AESDirect system in the Automated Commercial Environment was launched on November 30, 2015. Since that time, filers have submitted over 47,000 accepted shipments using the new system.
As part of the transition of AESDirect to the ACE Portal, the ability to file Electronic Export Information via legacy AESDirect at aesdirect.census.gov and the AESPcLink application will be terminated in stages over the next two months. All legacy AESDirect filers will be notified of their mandatory transition date to the Refactored AESDirect system upon login and be provided a specific date their account will be closed off based upon their Filer ID.
The dates for this transition are based upon the two-digit prefix of the Filer ID and accounts will be closed off from legacy AESDirect accordingly.
- Prefixes 00-19 on 02/15/2016
- Prefixes 20-39 on 02/22/2016
- Prefixes 40-59 on 02/29/2016
- Prefixes 60-79 on 03/07/2016
- Prefixes 80-99 on 03/14/2016
Please make sure you have taken steps to begin filing in the Refactored AESDirect system in ACE prior to your mandatory transition date.
For more information regarding the transition, please see our AESDirect Transition to ACE – Refactored AESDirect page here.
For further information or questions, contact the U.S. Census Bureau’s Data Collection Branch.
(Source: email@example.com, 19 Jan 2016)
When a shipment is filed to the AES, a system response message is generated and indicates whether the shipment has been accepted or rejected. If the shipment is accepted, the AES filer receives an Internal Transaction Number (ITN) as confirmation. However, if the shipment is rejected, a Fatal Error notification is received.
To help you resolve AES Fatal Errors, here are some tips on how to correct the most frequent errors that were generated in AES for this month.
Fatal Error Response Code: 515
– Narrative: ECCN Must be Formatted NANNN
– Reason: The Export Control Classification Number (ECCN) was not reported in the correct format.
– Resolution: The Export Control Classification Number (ECCN) must be reported in a NANNN format, where N is a numeric character and A is an alpha character. Verify the ECCN, correct the shipment and resubmit.
Fatal Error Response Code: 561
– Narrative: DDTC License Number Unknown
– Reason: The License Code/ License Exemption Code reported requires a Department of State/ Directorate of Defense Trade Controls (DDTC) license number, but the DDTC license number reported is unknown in AES.
– Resolution: The DDTC license number reported must be valid in AES. Verify the DDTC license number, correct the shipment and resubmit. For further assistance, contact the licensing agency. The Department of State/ Directorate of Defense Trade Controls / DDTC Help Desk can be reached on 202-663-2838.
For a complete list of Fatal Error Response Codes, their reasons, and resolutions, see Appendix A – Commodity Filing Response Messages.
It is important that AES filers correct Fatal Errors as soon as they are received in order to comply with the Foreign Trade Regulations. These errors must be corrected prior to export for shipments filed predeparture and as soon as possible for shipments filed postdeparture, but not later than five calendar days after departure.
For further information or questions, contact the U.S. Census Bureau’s Data Collection Branch.
The Census Bureau has released a few helpful tips to make the vetting process for obtaining authorization to access your export data in ACE a little easier.
Some helpful tips:
- Vetting by the Census Bureau Team is NOT required to file Electronic Export Information (EEI) via AESDirect in ACE.
- Only request “EIN Reports Authorization” if you want to access export reports in ACE.
- Newly established export accounts without prior filing history at the EIN level will not be authorized to access export reports in ACE.
- EINs associated with an established ACE Importer Account do not require further vetting by the Census team, therefore do not select the feature “Requests EIN Reports Authorization” when adding the exporter role to an existing account.
- Submit the Certificate of Authority (COA) for subsidiaries that plan on retrieving export reports. Prior filing history for each requested EIN is required.
- If you have multiple EINs associated with an account, request access for each EIN and submit a comprehensive COA listing the subsidiaries requesting access.
- In addition, shipment information must be verified by the Census Team prior to obtaining approval for Reports Authorization.
The information provided in this broadcast will assist you in obtaining Export Reports Access. Please visit our website for additional information on obtaining Exports Reports authorization by the Census Bureau here.
For additional assistance, call the International Trade Helpline at 800-549-0595:
By: Danielle McClellan
On September 14, 2012 GLS Solutions, Inc. of Aventura, Florida exported a $28,335 FLIR 440 High Performance Infrared Camera to Venezuela. The camera is classified under ECCN 6A003.b.4 and is controlled for National Security and Regional Stability reasons. GLS knew that a license was required to export the camera but continued to export it without obtaining a license. GLS has been assessed a penalty of $50,000 for one violation of “Acting with Knowledge of a Violation.” $32,500 of the penalty will be suspended for one year and eventually waived if GLS does not commit and further violations within the one year probationary period.
Gregorio L. Salazar, owner and president of GLS Solutions, was aware of the violation; however, in his initial disclosure letter to BIS regarding the illegal export of the camera he stated he was, “not aware that this camera required approval from United States Government in order to be shipped to Venezuela.” Nearly 6 months later, during a follow-up interview with a BIS Special Agent, Salazar admitted that he knew the licensing requirement for the FLIR camera prior to exporting it to Venezuela and explained that a FLIR Systems, Inc. representative informed him prior to the export that a license was required. In addition to the penalty on the company, Salazar will pay $50,000 for one charge of providing, “False or Misleading Statement(s) in a Disclosure to BIS.” BIS did not suspend any of Salazar’s fine.
DDTC Source (lyrics by John Black)
Licensing officers sing, are you listening?
In the cue, licenses glistening!
A button to press, it’s licensing success!
Living in a licensing wonderland!
In order to provide greater transparency and predictability for US defense firms in planning munitions license submissions, the Directorate of Defense Trade Controls will provides monthly update of the Directorate’s processing times. The timelines are expressed in averages across all case activity. For electronic cases, the average is based on the date the case was signed by the applicant until the date of final action. For hardcopy cases, the processing times are determined by the date the case entered the Directorate until the time the case is signed out of the Directorate. Processing numbers include all case types except Commodity Jurisdictions (CJs), Government Jurisdictions (GJs), and Electronic Rejections.
|Month and Year||Jun ’15||Jul ’15||Aug ’15||Sep ’15||Oct ’15||Nov ’15|
|Cases Open at
End of Month
(in Calendar Days)