IT.Can Quarterly Roundtable Series September 24, 2008 Export-Controlled Technology: The Cost of Non-Compliance IT.Can Quarterly Roundtable Series September

Export-Controlled Technology: The Cost of Non-Compliance

IT.Can Quarterly Roundtable SeriesIT.Can Quarterly Roundtable Series

September 24, 2008September 24, 2008

Christopher J. Cochlin

Canadian Export Controls

1. Overview of Canadian Regime

2. Getting Started: Checklist for Export Controls

3. Internal Controls for Compliance

4. Common Misconceptions


Overview of Canadian Regime

A. DFAIT: Export Controls Division (Issuance of Export Permits; Administration of Export and Import Permits Act)

B. DFAIT: Legal Affairs Bureau, Economic Law Section (Int’l Negotiations; Economic Sanctions)

C. Canada Border Services Agency: Administration and Enforcement of Customs Act; Export Declarations

D. Others: CSIS, DND, RCMP, Communications Security Establishment (CSE), Justice Canada, Industry Canada, International Like-Minded Community (e.g. other Wassenaar Arrangement countries)

Overview of Canadian Regime: Who Is Behind It?

Overview of Canadian Regime: “Controlled”

Export “controlled” does not mean export “prohibited”:• If a good is classified as “controlled”, an export

permit is required

Permit issued at the discretion of Minister of Foreign Affairs:• Briefing and recommendations by DFAIT, on

consultation with OGDs

Overview of Canadian Regime: What is covered?

Permit required by destination:• Area Control List (Myanmar, Belarus)

• United Nations Act (Regulations covering: Côte d’Ivoire, North Korea, Democratic Republic of the Congo, Iran, Iraq, Lebanon, Liberia, Rwanda, Sierra Leone, Sudan, Terrorists and Terrorist Organizations)

• Special Economic Measures Act (Myanmar, Zimbabwe)


Permit Required for Listed “Goods” and “Technology”:

• All items listed on the Export Control List

• All items listed in Canadian economic sanctions regulations (usually by reference to UNSC resolutions)


Identifying coverage based on product is a technical classification exercise:

→ Group 1 – Dual-Use List (commercial goods)

Group 2 – Munitions List

Group 3 – Nuclear Non-Proliferation List

Group 4 – Nuclear-Related Dual Use List

Group 5 – Miscellaneous Control Regime List (e.g. “stategic/5504 goods”)

Group 6 – Missile Technology Control Regime List

Group 7 – Chemical and Biological Weapons Non-Proliferation List


Group 1 “Dual-Use” (key categories for IT products):• Category 1 – Advanced Materials

• Category 2 – Material Processing

• → Category 3 – Electronics

• → Category 4 – Computers

• → Category 5 – Part 1 (Telecoms) & Part 2 (Information Security)

• Category 6 – Sensors and Lasers

• Category 7 – Navigation and Avionics

• Category 8 – Marine

• Category 9 – Propulsion


“Goods”:

• Technical interpretation required for classification of tangible goods/equipment:

Exhaust all possible classifications

Identify all applicable definitions

Assess all available exceptions (including in general technical notes, category-specific notes, or definitions)


“Technology”:• Same classification exercise as for “goods”

• “Technology” defined as information necessary for development, production or use of a product:

Covers “Technical Data” (e.g. tangible or intangible blueprints, plans, specifications, instructions, etc.)

Covers “Technical Assistance” (e.g. instruction, skills, training, consulting services)

• Found in “Part E” of every Category of Group 1

• Control of technology linked to control of underlying good


“Software”:

• Same classification exercise as “goods” and “technology”

• “Software” defined as a collection of one or more programs or microprograms fixed in any tangible medium of expression

• Found in “Part D” of every Category of Group 1

• Control of “software” linked to control of underlying good or technology


“Information Security” (Category 5 – Part 2): • Covers stand-alone cryptographic products or other

product solutions that include cryptographic elements (including third party elements)

• Covers relatively low encryption strengths – assess products against ECL Item 1-5.A.2(1)(a) & (b)

• Exceptions are limited: (1) “Note 2” - products accompanying user for the user’s personal use; (2) “Note 3” - generally available to the public + installed with little support + crypto not easily changed; (3) authentication or digital signature functions; (4) smart cards limited for radio, television, banking, etc.


US-origin “goods” or “technology”:

• Canada tracks and controls re-export of US goods

Prevents Canada from being a diversion point for US-embargoed countries

• Re-export of US-origin product is controlled either because:

Product is specifically identified on Canada’s ECL; or

Product falls into the catch-all ECL Item 5400


Exception regarding destinations:

• No export permit required for shipments to the United States or its territories, dependencies or possessions if:

US location is final destination; and

Sale is for end use of the product in the US

• Exceptions to the US exception: permit required for shipment to US of specific munitions, strategic/military, and agricultural/forestry goods

Overview of Canadian Regime: Permits

Number of permit options:

• Individual Export Permit (IEP): general/default rule applicable for specific transactions

• General Export Permit (GEP) 12: for re-exports of US-origin goods to non-embargoed countries (IEP for embargoed countries)

• Multi-destination, multi-shipment permits: for companies with strong compliance/internal controls (requires after-the-fact reporting of shipment details; valid over a specified period of time and subject to conditions)

Overview of Canadian Regime: Conclusion

Take-away items:

1. Canadian regime is a product of the broader government security community (and implements international agreements)

2. Control is based on: Shipment destination Product characteristics (tangibles and intangibles) Product/input origin (US content)

3. Controlled products = export permit application required

4. “Software” and “Technology” controlled to same extent as underlying good

5. “Encryption” = automatic assessment required

6. Exports to US (final destination + end use) = no permit required*

7. Multi-destination, multi-shipment permit is best bet: requires demonstrated compliance


Getting Started: Checklist for Canadian Export Controls

Checklist

1. Identify and compile all existing products (incl. inputs)

2. Identify in-house technical expertise:• For use in classification exercise for each product and

each input element (where applicable)

• Consider product from “good”, “software”, and/or “technology” perspectives for analysis purposes

3. Identify and assess any foreign export control documentation provided by suppliers of inputs (e.g. US export control classification)

Checklist

4. Identify and assess any US content (e.g. cost of acquisition as a percentage of value of final good)

5. Compile (and keep) transaction records for possible controlled products:

• POs, invoices, customs accounting documentation (tangible transfers), email communications or FTP downloads (intangible transfers)

Checklist

6. If non-compliance is discovered for existing products:

Establish the facts, prepare the documentation (incl. all relevant transactions records), and DISCLOSE

To avoid “knowing” violations of EIPA, discontinue all shipments of the product until: (1) disclosure is made; (2) a permit application is processed; (3) and a permit is received

Retain outside counsel, if required

Checklist

7. Going forward:• Be ahead of the curve on new product

deployments to avoid delays relating to permit applications (e.g. consult with DFAIT during development phase)

• Establish a compliance-oriented track record with the Canadian governmental security community

• Do so through appropriate internal controls


Internal Controls for Compliance

Compliance

Canada’s approach is compliance-oriented but statutory penalties are severe:• Section19 EIPA: Every person who contravenes any provision of

this Act or the regulation is guilty of: an offence punishable on summary conviction and liable to a fine not

exceeding twenty-five thousand dollars or to imprisonment for a term not to exceed twelve months, or to both, or

an indictable offence and liable to a fine in an amount that is in the discretion of the court or to imprisonment for a term not exceeding ten years or to both.

• Penalties also under United Nations Act or Special Economic Measures Act

Canada Border Services Agency, RCMP, CSIS, etc., will be involved in investigating possible violations of EIPA

Internal Controls

Controls are key to compliance with Canada’s Export Control Regime

Recall that intangibles are covered: electronic transfers outside of Canada (e.g. FTP downloads); travel by technical support staff and any “technology” that they bring

Treat export control issues like any other accounting issue (do not re-invent the wheel)

Internal Controls

Consider, for example:

1. Establishing internal oversight and reporting relationships for export controls

2. Ensuring redundancy within operational units and proper record keeping

3. Appropriate tasking for appropriate personnel: sales staff (know your customer, know your destination); financial staff (oversight of sales staff); contracting/regulatory staff

4. Ensuring timely applications for export permits (DFAIT) and timely filing of export declarations (CBSA)

5. Anticipating permit expiry (multi-destination, multi-shipment) and ensure prompt and seamless renewal

6. Maintaining internal reporting of sales of controlled products or external reporting to DFAIT (depending on nature of permit): monthly; quarterly; annually

7. Provide for internal training and awareness to key staff regarding export control compliance requirements


Common Misconceptions


1. Electronic transmission is not “exporting” for purposes of EIPA

• ECL Guide: “regardless of their destination or means of transmission (e.g. facsimile, electronic transfers, consulting services, etc.)”

2. If my supplier has an export permit, I will be “covered” by my supplier’s export permit

• Exporter of the good is responsible for obtaining permit

• Only Canadian residents may apply for permits


3. If my company receives an export permit, no further export controls compliance activity is required

• Must adhere to conditions in export permit

• Must be on top of new products, new customers, and new export destinations

• Other issues to consider regarding extraterritorial application of other export controls/sanctions laws (e.g. US) and Canadian “blocking” legislation (i.e. FEMA)

Documents

IT.Can Quarterly Roundtable Series September 24, 2008 Export-Controlled Technology: The Cost of Non-Compliance IT.Can Quarterly Roundtable Series September