it.can quarterly roundtable series september 24, 2008 export-controlled technology: the cost of...
Post on 25-Dec-2015
218 Views
Preview:
TRANSCRIPT
Export-Controlled Technology: The Cost of Non-Compliance
IT.Can Quarterly Roundtable SeriesIT.Can Quarterly Roundtable Series
September 24, 2008September 24, 2008
Christopher J. Cochlin
Canadian Export Controls
1. Overview of Canadian Regime
2. Getting Started: Checklist for Export Controls
3. Internal Controls for Compliance
4. Common Misconceptions
Canadian Export Controls
Overview of Canadian Regime
A. DFAIT: Export Controls Division (Issuance of Export Permits; Administration of Export and Import Permits Act)
B. DFAIT: Legal Affairs Bureau, Economic Law Section (Int’l Negotiations; Economic Sanctions)
C. Canada Border Services Agency: Administration and Enforcement of Customs Act; Export Declarations
D. Others: CSIS, DND, RCMP, Communications Security Establishment (CSE), Justice Canada, Industry Canada, International Like-Minded Community (e.g. other Wassenaar Arrangement countries)
Overview of Canadian Regime: Who Is Behind It?
Overview of Canadian Regime: “Controlled”
Export “controlled” does not mean export “prohibited”:• If a good is classified as “controlled”, an export
permit is required
Permit issued at the discretion of Minister of Foreign Affairs:• Briefing and recommendations by DFAIT, on
consultation with OGDs
Overview of Canadian Regime: What is covered?
Permit required by destination:• Area Control List (Myanmar, Belarus)
• United Nations Act (Regulations covering: Côte d’Ivoire, North Korea, Democratic Republic of the Congo, Iran, Iraq, Lebanon, Liberia, Rwanda, Sierra Leone, Sudan, Terrorists and Terrorist Organizations)
• Special Economic Measures Act (Myanmar, Zimbabwe)
Overview of Canadian Regime: What is covered?
Permit Required for Listed “Goods” and “Technology”:
• All items listed on the Export Control List
• All items listed in Canadian economic sanctions regulations (usually by reference to UNSC resolutions)
Overview of Canadian Regime: What is covered?
Identifying coverage based on product is a technical classification exercise:
→ Group 1 – Dual-Use List (commercial goods)
Group 2 – Munitions List
Group 3 – Nuclear Non-Proliferation List
Group 4 – Nuclear-Related Dual Use List
Group 5 – Miscellaneous Control Regime List (e.g. “stategic/5504 goods”)
Group 6 – Missile Technology Control Regime List
Group 7 – Chemical and Biological Weapons Non-Proliferation List
Overview of Canadian Regime: What is covered?
Group 1 “Dual-Use” (key categories for IT products):• Category 1 – Advanced Materials
• Category 2 – Material Processing
• → Category 3 – Electronics
• → Category 4 – Computers
• → Category 5 – Part 1 (Telecoms) & Part 2 (Information Security)
• Category 6 – Sensors and Lasers
• Category 7 – Navigation and Avionics
• Category 8 – Marine
• Category 9 – Propulsion
Overview of Canadian Regime: What is covered?
“Goods”:
• Technical interpretation required for classification of tangible goods/equipment:
Exhaust all possible classifications
Identify all applicable definitions
Assess all available exceptions (including in general technical notes, category-specific notes, or definitions)
Overview of Canadian Regime: What is covered?
“Technology”:• Same classification exercise as for “goods”
• “Technology” defined as information necessary for development, production or use of a product:
Covers “Technical Data” (e.g. tangible or intangible blueprints, plans, specifications, instructions, etc.)
Covers “Technical Assistance” (e.g. instruction, skills, training, consulting services)
• Found in “Part E” of every Category of Group 1
• Control of technology linked to control of underlying good
Overview of Canadian Regime: What is covered?
“Software”:
• Same classification exercise as “goods” and “technology”
• “Software” defined as a collection of one or more programs or microprograms fixed in any tangible medium of expression
• Found in “Part D” of every Category of Group 1
• Control of “software” linked to control of underlying good or technology
Overview of Canadian Regime: What is covered?
“Information Security” (Category 5 – Part 2): • Covers stand-alone cryptographic products or other
product solutions that include cryptographic elements (including third party elements)
• Covers relatively low encryption strengths – assess products against ECL Item 1-5.A.2(1)(a) & (b)
• Exceptions are limited: (1) “Note 2” - products accompanying user for the user’s personal use; (2) “Note 3” - generally available to the public + installed with little support + crypto not easily changed; (3) authentication or digital signature functions; (4) smart cards limited for radio, television, banking, etc.
Overview of Canadian Regime: What is covered?
US-origin “goods” or “technology”:
• Canada tracks and controls re-export of US goods
Prevents Canada from being a diversion point for US-embargoed countries
• Re-export of US-origin product is controlled either because:
Product is specifically identified on Canada’s ECL; or
Product falls into the catch-all ECL Item 5400
Overview of Canadian Regime: What is covered?
Exception regarding destinations:
• No export permit required for shipments to the United States or its territories, dependencies or possessions if:
US location is final destination; and
Sale is for end use of the product in the US
• Exceptions to the US exception: permit required for shipment to US of specific munitions, strategic/military, and agricultural/forestry goods
Overview of Canadian Regime: Permits
Number of permit options:
• Individual Export Permit (IEP): general/default rule applicable for specific transactions
• General Export Permit (GEP) 12: for re-exports of US-origin goods to non-embargoed countries (IEP for embargoed countries)
• Multi-destination, multi-shipment permits: for companies with strong compliance/internal controls (requires after-the-fact reporting of shipment details; valid over a specified period of time and subject to conditions)
Overview of Canadian Regime: Conclusion
Take-away items:
1. Canadian regime is a product of the broader government security community (and implements international agreements)
2. Control is based on: Shipment destination Product characteristics (tangibles and intangibles) Product/input origin (US content)
3. Controlled products = export permit application required
4. “Software” and “Technology” controlled to same extent as underlying good
5. “Encryption” = automatic assessment required
6. Exports to US (final destination + end use) = no permit required*
7. Multi-destination, multi-shipment permit is best bet: requires demonstrated compliance
Canadian Export Controls
Getting Started: Checklist for Canadian Export Controls
Checklist
1. Identify and compile all existing products (incl. inputs)
2. Identify in-house technical expertise:• For use in classification exercise for each product and
each input element (where applicable)
• Consider product from “good”, “software”, and/or “technology” perspectives for analysis purposes
3. Identify and assess any foreign export control documentation provided by suppliers of inputs (e.g. US export control classification)
Checklist
4. Identify and assess any US content (e.g. cost of acquisition as a percentage of value of final good)
5. Compile (and keep) transaction records for possible controlled products:
• POs, invoices, customs accounting documentation (tangible transfers), email communications or FTP downloads (intangible transfers)
Checklist
6. If non-compliance is discovered for existing products:
Establish the facts, prepare the documentation (incl. all relevant transactions records), and DISCLOSE
To avoid “knowing” violations of EIPA, discontinue all shipments of the product until: (1) disclosure is made; (2) a permit application is processed; (3) and a permit is received
Retain outside counsel, if required
Checklist
7. Going forward:• Be ahead of the curve on new product
deployments to avoid delays relating to permit applications (e.g. consult with DFAIT during development phase)
• Establish a compliance-oriented track record with the Canadian governmental security community
• Do so through appropriate internal controls
Canadian Export Controls
Internal Controls for Compliance
Compliance
Canada’s approach is compliance-oriented but statutory penalties are severe:• Section19 EIPA: Every person who contravenes any provision of
this Act or the regulation is guilty of: an offence punishable on summary conviction and liable to a fine not
exceeding twenty-five thousand dollars or to imprisonment for a term not to exceed twelve months, or to both, or
an indictable offence and liable to a fine in an amount that is in the discretion of the court or to imprisonment for a term not exceeding ten years or to both.
• Penalties also under United Nations Act or Special Economic Measures Act
Canada Border Services Agency, RCMP, CSIS, etc., will be involved in investigating possible violations of EIPA
Internal Controls
Controls are key to compliance with Canada’s Export Control Regime
Recall that intangibles are covered: electronic transfers outside of Canada (e.g. FTP downloads); travel by technical support staff and any “technology” that they bring
Treat export control issues like any other accounting issue (do not re-invent the wheel)
Internal Controls
Consider, for example:
1. Establishing internal oversight and reporting relationships for export controls
2. Ensuring redundancy within operational units and proper record keeping
3. Appropriate tasking for appropriate personnel: sales staff (know your customer, know your destination); financial staff (oversight of sales staff); contracting/regulatory staff
4. Ensuring timely applications for export permits (DFAIT) and timely filing of export declarations (CBSA)
5. Anticipating permit expiry (multi-destination, multi-shipment) and ensure prompt and seamless renewal
6. Maintaining internal reporting of sales of controlled products or external reporting to DFAIT (depending on nature of permit): monthly; quarterly; annually
7. Provide for internal training and awareness to key staff regarding export control compliance requirements
Canadian Export Controls
Common Misconceptions
Common Misconceptions
1. Electronic transmission is not “exporting” for purposes of EIPA
• ECL Guide: “regardless of their destination or means of transmission (e.g. facsimile, electronic transfers, consulting services, etc.)”
2. If my supplier has an export permit, I will be “covered” by my supplier’s export permit
• Exporter of the good is responsible for obtaining permit
• Only Canadian residents may apply for permits
Common Misconceptions
3. If my company receives an export permit, no further export controls compliance activity is required
• Must adhere to conditions in export permit
• Must be on top of new products, new customers, and new export destinations
• Other issues to consider regarding extraterritorial application of other export controls/sanctions laws (e.g. US) and Canadian “blocking” legislation (i.e. FEMA)
top related