Export Controls in the United States

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

Introduction

The US government controls exports of sensitive equipment, software and technology for reasons of national security and foreign policy. Generally, the goals of US export controls are to (1) protect the national security of the United States by limiting access to the most sensitive US technology and weapons, (2) promote regional stability, (3) prevent the proliferation of weapons and technologies, and (4) protect human rights around the world.

US export controls frequently apply extraterritorially, extending US export controls compliance obligations to non-US persons. For example, an item of US origin can remain controlled under US laws even after its initial export, and require a licence or authorisation for reexport – or even transfer within a single country – from one non-US person to another non-US person. Even certain items produced outside the United States may be subject to US export controls if they are the direct product of certain technology, software or machinery of US origin. In other cases, items that are not of US origin can become subject to US jurisdiction if they contain more than 25 per cent (or in some cases even less) controlled US-origin components, technology or software.

This chapter provides an overview of the US export controls regimes, with a focus on the Export Administration Regulations (EAR),[2] administered by the US Department of Commerce’s Bureau of Industry and Security (BIS), which controls dual-use items – meaning items that can be used for civil or military purposes – as well as certain less-sensitive defence articles, and the International Traffic in Arms Regulations (ITAR),[3] administered by the US Department of State’s Directorate of Defense Trade Controls (DDTC), which controls ‘defense articles’ and ‘defense services’.

In this fourth edition of The Guide to Sanctions, we note the continuing US trend of expanding the scope and applicability of US export controls rules targeting specific destinations, regions and end users in support of the US goals to protect US national security, promote regional stability and protect human rights. Since the first edition, we have seen a distinct broadening of the scope and applicability of US export controls. For example, in 2022, following Russia’s invasion of Ukraine, expansive new US export controls were issued in relation to Russia and Belarus. The new rules impact numerous exports involving Russia and Belarus, including through: the imposition of new licence requirements for the export to Russia and Belarus of all items on the EAR’s Commerce Control List (CCL); the expansion of jurisdiction to more foreign-produced items; and the introduction of specific military end user licence requirements.[4] In recent years, we have also seen an increased focus on coordination with other countries that have shared policy goals with the United States. For example, in 2023, on the one-year anniversary of Russia’s invasion of Ukraine, BIS amended and expanded US export controls on items in certain industrial, chemical and luxury goods sectors.[5] The amendments are intended to better align US export controls with controls implemented by US allies and partners.

We also see a continued focus on China, which is another target of the expanded use of export controls. In recent years, the protection of human rights has also become an increasingly prominent element of US export controls policy. For example, in 2023, the United States issued a revised version of the US Conventional Arms Transfer (CAT) policy that articulates the framework under which the US government reviews and evaluates proposed arms transfers.[6] The revised CAT broadens the range of human rights-related harms considered in connection with potential arms transfers and also strengthens a restriction on arms transfers that could contribute to atrocity crimes, lowering the standard from ‘actual knowledge’ that arms would be used to commit atrocities to a commitment not to transfer arms that would ‘more likely than not’[7] contribute to atrocity crimes, including but not limited to genocide, crimes against humanity and the intentional targeting of civilian objects or civilians. In addition, in 2023, BIS amended the criteria for Entity List designations to confirm its position that ‘the protection of human rights’ is a foreign policy interest considered in assessing whether the activities of an entity are ‘contrary to the national security or foreign policy of the United States’.[8] BIS has also issued guidance formalising its policy of providing for enhanced consideration of human rights concerns when reviewing almost all licence applications.[9] The guidance also sets forth BIS’s expectation that exporters will exercise due diligence when submitting a licence application that may implicate human rights concerns and provides resources to help exporters assess whether a proposed export is destined for countries, end users and end uses that may implicate human rights concerns.[10]

The US government has continued to prioritise engagement with the private sector and universities as a means to support export compliance and prevent circumvention of US and allied export controls. In 2022, BIS announced the Academic Outreach Initiative, which prioritised engagement with universities that either possess ties to foreign universities on the Entity List, host a strategic Department of Defense University Affiliated Research Center or conduct research in sensitive technologies subject to the EAR.[11] Through this initiative, these universities have been assigned a specific agent from their local BIS office to help with export compliance. In addition, BIS has provided guidance to the private sector on red flags of potential Russian and Belarusian export control evasion attempts.[12] The above reflects an ongoing effort by the US government to enable the private sector and academic institutions to support compliance with US export controls.

As discussed in other US-related chapters in this Guide, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) also restricts the export of items to certain destinations and entities. Sometimes there is overlapping jurisdiction between OFAC sanctions programmes and other US export control regimes, such as the EAR. In some cases, a licence may be required from one or even multiple authorities to export items subject to US jurisdiction, particularly to embargoed destinations. It is important to determine which US export control regimes may apply to a specific transaction and assess licensing requirements accordingly.

Various other US government entities also play a role in administering US export controls, including the US Department of Commerce’s Census Bureau, which is responsible for ensuring the accuracy of the trade control data reporting; the Nuclear Regulatory Commission and the Department of Energy, which regulate exports relating to nuclear items and technology; the Federal Emergency Management Agency, which is more recently responsible for overseeing exports of personal protective equipment from the United States; and the US Patent and Trademark Office, which administers regulations overseeing exports of technology in connection with patent applications and related filings.[13] Additional information about other US government agencies and offices with export control responsibilities is available at the BIS website.[14]

Export Administration Regulations

The EAR,[15] administered by BIS, control the export, reexport or transfer (in-country) of certain items of US origin and, in some cases, of non-US origin. The EAR’s CCL[16] sets out a technically focused list of goods, software and technology with varying levels of controls based on a variety of national security and foreign policy reasons and the country of destination. Apart from the CCL-based controls, the EAR also control the export of certain items to restricted destinations, end uses and end users. BIS has various offices dedicated to overseeing technical review, licensing, providing support to exporters, and investigating and enforcing potential regulatory violations.[17]

Scope of the EAR

The EAR apply to items that are in the United States, items of US origin, wherever located, foreign-produced items that contain more than a de minimis amount of controlled US-origin content, and items that are the direct product of certain US-origin technology or software. The EAR also apply to US person activities in certain circumstances. For example, in 2022, the US government implemented new restrictions on US person activities in support of certain semiconductor activities in China.[18] This means that both US and non-US persons and companies may have compliance obligations under the EAR, and both US-origin and foreign-produced items may be subject to the EAR.

Items subject to the EAR

All items physically located in the United States are subject to the EAR, including hardware, software and technology, and remain subject to the EAR after export[19] from the United States, for reexport and transfer (in-country), with some exceptions. An item subject to the EAR that is sent from one foreign country to another foreign country is a ‘reexport’.[20] In relation to this, a ‘transfer (in-country)’[21] under the EAR is a change in end use or end user within the same foreign country, which could trigger a licensing obligation. In some cases, items in the United States, such as technology, can be considered exported even though the technology has not left the United States, if it is transferred to a non-US person located in the United States. This is referred to as a ‘deemed export’.[22] The EAR further clarify: ‘Any release in the United States of “technology” or source code to a foreign person is a deemed export to the foreign person’s most recent country of citizenship or permanent residency.’[23]

Some items in the United States are not subject to the EAR; these are discussed further below. Additionally, there are foreign products that are subject to the EAR in certain circumstances if the foreign-produced item contains more than a de minimis [24] amount of controlled US content (the De Minimis Rule), and certain foreign produced items that are the direct product[25] of US-origin technology and software that is controlled for national security reasons, or are produced by a complete plant or a ‘major component’ of a plant that is the direct product of that technology or software (the Foreign-Produced Direct Product Rule).[26] In 2020, the Foreign-Produced Direct Product Rule was modified to specifically target certain companies on the Entity List by expanding the scope of non-US origin (i.e., foreign-produced) items that are subject to US export licensing requirements when being transferred to, or for use by, the relevant Entity List entities.[27] In 2022, a new Russia/Belarus Foreign Direct Product (FDP) Rule and a Russia/Belarus-Military End User FDP Rule[28] were implemented. These new rules apply to an expanded scope of foreign-produced items destined for Russia and Belarus. In 2023, a new Iran Foreign Direct Product Rule[29] was implemented to address the use of Iranian Unmanned Aerial Vehicles by Russia in its war against Ukraine. The new Rule applies to foreign-produced items identified in new Supplement No. 7 to Part 746 of the EAR when they are destined for Russia, Belarus or Iran, as well as to certain foreign-produced items specified in any Export Control Classification Number (ECCN) Categories 3 to 5 or 7 on the CCL when destined for Iran.

Items not subject to the EAR

Items not subject to the EAR include those that are under the exclusive jurisdiction of another US government agency; certain publications, including books, newspapers and periodicals; and information and software that are published, arise during, or result from, fundamental research, are released in an academic institution course (in certain circumstances) or appear in published patent applications.[30]

EAR basics

The EAR can be a complex area of US export controls. We provide the basics of the EAR below; further background details regarding the EAR can be found in Part 732 of the EAR, ‘Steps for Using the EAR’.[31]

To determine obligations under the EAR, first, basic information regarding the transaction must be determined.

  • What is it? Knowing an item’s classification on the CCL is an important first step to determining obligations under the EAR.
  • Where is it going? The country of ultimate destination often determines the licence requirements under the EAR.
  • Who will receive it? It is important to screen the end users to confirm that they are not restricted, and to determine whether certain licence exceptions may apply.
  • What will they do with it? Certain end uses can independently trigger licensing requirements under the EAR.
  • What else does the end user do? Some activities, such as proliferation activities, undertaken by end users may prevent dealings with them.[32]

The General Prohibitions at Part 736 of the EAR set out various restrictions applicable to the export of items subject to the EAR. General Prohibitions one to ten[33] cover a broad set of prohibited activities touching on almost all aspects of the EAR, including exports or reexports to prohibited end uses or end users (General Prohibition Five); exports or reexports to embargoed destinations (General Prohibition Six); and proceeding with a transaction with knowledge that a violation has occurred or is about to occur (General Prohibition Ten). General Prohibition Ten can particularly affect non-US companies, especially if they have items in their possession that may have been involved in violations of the EAR. In some cases, authorisation from BIS may be needed prior to the return, disposal or any other dealings in items subject to the EAR if there is knowledge that a violation has or is about to occur in relation to those items.[34] In 2021 and 2022, BIS expanded the scope of General Prohibition Seven.[35] The rule imposes additional licence requirements under the EAR for US persons that are involved in a broad array of activities related to proliferation activities and certain military intelligence end uses or end users in China, Russia, Venezuela, Belarus, Myanmar and other US embargoed destinations.

Jurisdiction

Jurisdiction is a threshold question in determining whether an item is subject to the EAR. For purposes of the EAR, an item may be subject to the EAR unless it is under the exclusive control of another US regime, such as military items that are controlled under the ITAR. In that sense, the EAR are something of a catch-all regime. Items subject to the EAR also include:

  • all items located in the United States;
  • items moving in transit through the United States;
  • all US-origin items wherever located;
  • foreign-made items that incorporate more than a de minimis amount of controlled US-origin content; and
  • foreign-made items that are the foreign-produced direct product of certain US-origin technology or software.[36]

Classification

If an item is subject to the jurisdiction of the EAR, a review of the CCL should be conducted to determine whether the item is listed. The CCL contains a (mostly) positive list of items used by BIS to identify more sensitive dual-use or civil items, as well as some less sensitive defence articles not falling within ITAR control that BIS controls for export, reexport or retransfer. The CCL entries contain technical parameters that often require the review of technical experts to make a determination. The CCL entries are identified by ECCNs, which are denoted by a five-digit alphanumeric reference. They begin with a number between zero and nine, indicating the general category of the item that is controlled (e.g., electronics, computers and information security); followed by a letter identifying the product group of the item (e.g., software and technology); followed by a final three digits that indicate the type or reason for control (e.g., missile technology, nuclear non-proliferation and Wassenaar Arrangement Munitions List).[37]

If an item is determined to be subject to the jurisdiction of the EAR but is not listed on the CCL, it is classified as EAR99, which is a catch-all classification. In general, EAR99 items may be exported to most destinations without a licence. However, key exceptions are detailed in the EAR, including where a General Prohibition applies. For example, an EAR99 item may not be exported without a licence to certain restricted destinations, for certain prohibited end uses or to certain prohibited end users.[38] Currently, the destinations that are subject to heightened restrictions under the EAR include Iran, North Korea, Syria, Cuba, Iraq, Russia and the Crimea and so-called ‘Donetsk People’s Republic’ and ‘Luhansk People’s Republic’ regions of Ukraine.[39]

Licence determination and licence exceptions

Determining whether a licence is required is a key step under the EAR, as the regime only requires a licence for certain exports. For items listed in an ECCN, it must be determined whether the item is controlled for the end destination as specified in the ECCN entry on the CCL and detailed in the Commerce Country Chart.[40] The Commerce Country Chart identifies the ‘reasons for control’ of the items and cross-references the reasons for control with each potential destination country. If the end destination is not subject to the ECCN’s reason for control then a licence is not required for reasons based on the product’s classification and the end destination. In 2020, BIS changed its treatment of Hong Kong under the EAR, and Hong Kong is now subject to the same licence requirements as China.[41]

A licence may also be required if one of the 10 General Prohibitions is triggered. As noted above, General Prohibitions can trigger licence requirements, even for EAR99 items not otherwise subject to a licence requirement under the EAR, if they involve a restricted end use or end user, among other things. For example, General Prohibition Nine specifically prohibits violations of any order, term or condition of a licence or licence exception.[42] General Prohibition Five prohibits knowingly exporting or reexporting any items subject to the EAR to or for a prohibited end user or end use as described in Part 744 of the EAR. For example, certain exports to military end users and for military end uses are prohibited under Section 744.21 of the EAR (the MEU Rule).[43] In 2020 and 2021, the MEU Rule was revised and broadened in scope and application to military end users and for military end uses in Myanmar, China, Russia and Venezuela.[44] A non-exhaustive Military End-User List (the MEU List) was also added.[45] In 2022, the new Section 746.8 (Sanctions Against Russia and Belarus) was added to the EAR, containing expansive new US export control licence requirements applicable to exports, reexports or in-country transfers to these destinations.[46] With limited exceptions, BIS reviews applications for the export, reexport or transfer (in-country) of any item requiring a licence pursuant to Section 746.8 under a policy of denial.[47]

As a final step, if a licence appears to be required under the EAR for the export, reexport or transfer of an item, the licence exceptions at Part 740 of the EAR should be reviewed to determine whether any of the licence exceptions may apply. The application of an EAR licence exception is fact-specific; each exception varies in application and has detailed compliance requirements.

BIS lists of parties of concern

BIS has three lists of parties of concern.[48] Inclusion on these lists can have a dramatic effect on the listed parties’ ability to lawfully obtain items subject to US jurisdiction.

The BIS Entity List prohibits the listed entities from being a ‘party to a transaction’[49] when receiving, using, purchasing or acting as intermediate consignee, for some or all items subject to the EAR without a licence.[50] The Entity List has been increasingly used in recent years against entities determined to be acting contrary to US national security or foreign policy interests, including the protection of human rights worldwide.[51] For instance, in 2023, 11 entities were added to the Entity List for their alleged involvement in human rights violations and abuses in Burma, China, Nicaragua and Russia.[52]

The Denied Persons List is a list of individuals and entities that have been denied export privileges from the United States.[53] An order to deny export privileges generally restricts the ability of the named party to participate in export and reexport transactions that involve, or restrict access to, items subject to the EAR.

Finally, the Unverified List (UVL) is a ‘list of parties whose bona fides BIS has been unable to verify’.[54] BIS conducts end-use and end-user visits all over the world via its export enforcement officers (EEO), who are embedded at US embassies. Generally, if an EEO is unable to verify an end user or the end use of an item that was previously exported to a non-US party under a BIS licence, the party is placed on the UVL. In 2022, BIS clarified that a sustained lack of cooperation by the host government in a country where an end-use check is to be conducted that effectively prevents BIS from determining compliance with the EAR, will be grounds for adding an entity to the Entity List.[55] No licence exceptions may be used to export to UVL parties and a UVL statement must be obtained before shipping anything subject to the EAR (even if not subject to a licence requirement).[56] The UVL statement must include the name of the UVL party, its complete physical address, an end-use statement and a commitment to cooperate with BIS’s end-use checks.[57] In 2023, 14 persons in China were added to the UVL because BIS was unable to verify the persons’ bona fides or complete an end-use check.[58]

Extraterritorial aspects of the EAR

In addition to the foregoing discussion regarding reexports or transfers of unchanged or unmodified US-origin items that remain subject to the EAR, wherever located, we highlight a few other key extraterritorial aspects of the EAR.

The De Minimis Rule

The De Minimis Rule described in Part 734 of the EAR requires that certain foreign-produced items that incorporate controlled items of US origin be subject to the EAR if the percentage of controlled US-origin content is over 25 per cent or (for some countries) 10 per cent. There are a few items that are not eligible for the De Minimis Rule, such as some types of computers and certain encryption technology. General Prohibition Two prohibits the reexport and export from abroad of foreign-made items incorporating more than a de minimis amount of controlled US content. Non-US companies should be aware of the potential compliance obligations under the EAR of incorporating controlled US-origin content into foreign-made items.

Foreign-Produced Direct Product Rule

The Foreign-Produced Direct Product Rule is found in Part 734.3(a), Paragraphs (4) and (5) of the EAR. The Foreign-Produced Direct Product Rule applies to certain foreign-made items that are the direct product of certain US-origin technology or software described in General Prohibition Three.[59] General Prohibition Three also applies to certain items produced in a plant or by a major component of a plant outside the United States that are the direct product of certain technology or software of US origin. It is important to understand that items produced outside the United States may, in some cases, be caught by the Foreign-Produced Direct Product Rule under the EAR and be subject to US export controls. In 2022, BIS added two new foreign direct product rules targeting Russia and Belarus, including the addition of the Russia/Belarus-Military End User FDP Rule.[60] BIS also significantly expanded the scope of items subject to the Foreign-Produced Direct Product Rule restrictions for 28 existing Entity List entities located in China, and established two new foreign direct product rules for ‘supercomputers’,[61] advanced computing integrated circuits and computer commodities that contain integrated circuits that are exported, reexported or transferred (in-country) to or within China or Hong Kong.[62] In 2023, these controls were expanded to Macau because of the potential risk of diversion of items subject to the EAR from Macau to China.[63]

EAR export compliance programme

An effective BIS export compliance programme (ECP) is crucial to any company that interacts with items of US origin or items subject to the EAR. As demonstrated above, the EAR are a complex regime and require a tailored and targeted compliance programme to ensure that appropriate regulatory compliance processes and procedures are in place. Compliance programmes should be tailored to the risk faced by a company. For example, two non-US based companies may have different needs depending on their exposure to items subject to the EAR. Other relevant factors include a company’s industry, its geographic reach, its workforce, its customers and the size and frequency of its transactions. BIS provides several resources on BIS compliance programmes on its website, including elements of an ECP, export compliance guidelines and other background documents.[64] The EAR also contain resources (in Part 732), including an export control decision tree, know-your-customer guidance and red flags at Supplement Nos. 1 and 3, respectively. Proactively identifying US export control risks in a company and establishing a targeted export compliance programme that fits its business is a first step to preventing future violations and identifying potential past problematic transactions.

International Traffic in Arms Regulations

US export controls on most defence articles and defence services are regulated by the ITAR,[65] administered by DDTC.[66] The ITAR implement the Arms Export Control Act[67] and regulate temporary and permanent exports, as well as temporary imports, of defence articles on the United States Munitions List (USML), defence services, and brokering of defence articles and services. The ITAR also contain reporting requirements for certain political contributions, fees or commissions.

Virtually every item subject to the ITAR requires a licence for export, reexport or transfer from DDTC, unless an ITAR exemption applies.

DDTC has offices focused on licensing, policy, and compliance and enforcement.[68]

Scope of the ITAR

Similar to the EAR, the ITAR cover a broad array of items. In understanding the ITAR it is helpful to have an overview of certain key terms, set out below.

‘Defense article’

A ‘defense article’ is any item or technical data designated in the USML,[69] typically having a military, satellite or intelligence application or purpose. It includes ‘forgings, castings, and other unfinished products, such as extrusions and machined bodies, that have reached the stage in manufacturing where they are clearly identifiable by mechanical properties, material composition, geometry, or function as defense articles’.[70]

It also includes ‘technical data’[71] recorded or stored in any physical form that reveal technological information directly related to USML items, or ‘software’ directly related to ‘defense articles’. Specifically, the technical data definition captures information ‘required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions or documentation’.[72] Technical data does not include information relating to general scientific, mathematical or engineering principles commonly taught at education institutions; information in the public domain,[73] or basic marketing information on function or purposes or general system descriptions of ‘defense articles’.[74] Neither does it include technical data that has been approved for public release by the responsible US government agency.[75]

‘Defense service’

A ‘defense service’[76] is defined to include (1) the furnishing of assistance (including training) to foreign persons, whether in the United States or abroad in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarisation, destruction, processing or use of ‘defense articles’; (2) the furnishing to a foreign person of any technical data controlled under the ITAR, whether in the United States or abroad; and (3) military training of foreign units and forces, broadly defined.

US persons and foreign persons

A US person is defined under the ITAR as a person who is a lawful, permanent US resident or protected individual as defined in US law, and corporations or other entities that are incorporated to do business in the United States, and any government (federal, state or local) entity.[77]

A foreign person, as defined in the ITAR, is ‘any natural person who is not a lawful permanent resident’ or certain other protected individuals (such as certain refugees or asylees) under US law, as well as foreign companies and other entities that are not incorporated or organised to do business in the United States. International organisations, foreign governments and any agency or subdivision of foreign governments (e.g., diplomatic missions) are also considered foreign persons under the ITAR.[78]

Items subject to the ITAR

USML

Identifying whether an item is on the USML[79] is the first step in determining what ITAR controls may apply to the export or transfer of that item. There are 21 categories of ‘defense articles’ described on the USML, including certain military electronics, launch vehicles, guided missiles and personal protective equipment. Within each category, the USML describes the types of ‘defense articles’, technology and software controlled, in general by describing, for each category, the controlled: end items; major systems and equipment; parts components, accessories and attachments; and technical data and ‘defense services’ relating to the USML category. Certain USML items and related technical data are identified as significant military equipment[80] and are subject to more stringent controls.[81] Certain items on the USML are controlled only if they are ‘specially designed’ for a certain purpose, and must be assessed according to specified criteria as set out in the ITAR.[82] Non-US origin items containing content subject to the ITAR will typically be subject to ITAR jurisdiction through the ‘see-through’ rule.[83]

If it is unclear whether an item is controlled under the ITAR, an exporter may seek a commodity jurisdiction determination (CJ determination) from DDTC. A CJ determination is submitted to DDTC via its online application system and may involve review by several US government agencies, including BIS and the Department of Defense, and any other agencies relevant to the specific application. Some CJ determinations are available on DDTC’s website.[84]

Registration requirements

The US government maintains registration requirements for (1) any person who engages in the United States in the business of manufacturing or exporting or temporarily importing ‘defense articles’ or furnishing ‘defense services’[85] and (2) any US person, wherever located, any foreign person located in the United States and any foreign person located outside the United States that is owned or controlled by a US person that is performing brokering activities (defined to mean any action on behalf of another to facilitate the manufacture, export, permanent import, transfer, reexport or retransfer of a US or foreign ‘defense article’ or ‘defense service’, regardless of its origin).[86] Note that manufacturers of ‘defense articles’ located in the United States are required to register with DDTC, even if they do not export any of their products.[87] Registration is required to be renewed annually and comes with various notification requirements to DDTC, such as the requirement to notify DDTC within five days of any material change to the information contained in the registration statement (e.g., changes in senior management or business structure)[88] as well as a 60-day notification in advance of a sale or transfer of ownership or control to a foreign person.[89] Registration with DDTC does not authorise the export of ‘defense articles’. Registration, rather, is a prerequisite to submission of a licence or eligibility to use an ITAR exemption.

Exports

Export of ‘defense articles’

Any person intending to export, or temporarily import, a ‘defense article’, including hardware, software or technical data, must obtain authorisation from DDTC prior to the transaction, unless an exemption or exception applies. Additionally, DDTC authorisation is required to transfer technical data in the United States to a foreign person, and to reexport, resell, transfer, trans-ship or dispose of ITAR-controlled items, to a new non-US end user, end use or destination, unless authorised by DDTC under a licence or other form of authorisation, exemption or exception. DDTC licences and other specific authorisations discussed below must be applied for, and come with defined time periods, strict limitations and requirements regarding compliance. Exemptions may be used by an exporter without submitting a specific application to DDTC provided all the requirements of the exemption are met. ITAR exemptions can be nuanced; a careful review of the requirements of an exemption should be undertaken to ensure all compliance responsibilities and requirements are understood and met before proceeding. In addition, DDTC has other vehicles for authorising certain activity. For example, ‘general correspondence’ letters are often used to authorise reexports or retransfers from abroad. In addition, DDTC uses ‘technical assistance agreements’ to authorise certain instances in which US persons are providing non-US persons with continuing technical assistance; for example, to provide ‘defense services’ or to support certain design, development or manufacturing activity. DDTC uses ‘manufacturing licence agreements’ to authorise the granting of a licence to a non-US entity to manufacture ITAR-controlled items, such as items manufactured using ITAR-controlled technical data.

In addition, DDTC has published Open General Licenses (OGL) Nos. 1 and 2, which authorise certain persons in Australia, Canada and the United Kingdom to reexport or retransfer certain types of ‘defense articles’, services and technical data controlled under the ITAR between and among the three countries.[90] These OGLs are valid until 31 July 2026 and are intended to facilitate defence trade between the US and these three key allies. A careful review of the requirements of the OGLs should be undertaken to ensure all compliance responsibilities and requirements are understood and met before proceeding with a reexport or retransfer.

Part 126.1 – proscribed countries

It is DDTC’s policy to deny licences and other authorisations for exports and temporary imports of ‘defense articles’ and ‘defense services’ involving countries listed in Part 126.1 of the ITAR.[91] These countries are proscribed for various reasons, including being the subject of a United Nations arms embargo or as countries determined by the US Secretary of State to be state sponsors of terrorism. At the time of writing, exports to the following proscribed countries are subject to a licensing policy of denial: Belarus, Myanmar, China, Cuba, Iran, North Korea, Syria and Venezuela.[92] There are additional countries at ITAR Section 126.1(d)(2), to which Russia was added in 2021, that are not authorised to receive ITAR-controlled items, except as specifically detailed in that Section of the ITAR.

Brokering and political contributions under the ITAR

Brokering

In addition to the controls described above, the ITAR also control ‘brokering’ of ‘defense articles’ and ‘defense services’.[93] In addition to covering the ‘brokering activities’ of US persons, the ITAR brokering restrictions can cover the activities of non-US persons – particularly of foreign persons located in the United States, and foreign persons who are owned or controlled by a US person.[94] Brokering activities include, but are not limited to: ‘financing, insuring, transporting, or freight forwarding defense articles and defense services; soliciting, promoting, negotiating, contracting for, arranging, or otherwise assisting in the purchase, sale, transfer, loan, or lease of a defense article or defense service’.[95] An entity that engages in brokering activities subject to the ITAR may be subject to registration and reporting requirements. There are some carve-outs to the brokering restrictions, including in relation to activities by US persons in the United States that are limited exclusively to US domestic sales not intended for export, US government employees acting in their official capacity, and regular employees acting on behalf of an employer, subject to certain limitations.[96]

Part 130 – political contributions, fees and commissions

The ITAR contain reporting requirements for political contributions, fees or commissions ‘offered, or agreed to pay, related to any sale for which a licence or approval is requested’.[97] Generally, these rules apply to certain authorisations under the ITAR valued at US$500,000 or more and ‘being sold commercially to or for the use of the armed forces of a foreign country or international organization’.[98] Suppliers contracting with the Department of Defense for the sale of ‘defense articles’ or ‘defense services’ also have reporting requirements under Part 130.[99]

ITAR compliance programme

An effective ITAR compliance programme (ICP) is crucial to any company that interacts with ‘defense articles’, ‘defense services’ and ITAR-controlled technical data. In 2022, DDTC issued new ITAR Compliance Program Guidelines outlining DDTC’s expectations for an effective ICP.[100] The ITAR Compliance Program Guidelines are similar to compliance programme guidelines issued by other federal agencies such as OFAC and BIS, although the ITAR Compliance Program Guidelines also provide guidance on ITAR-specific topics such as the DDTC Registration requirement and Part 129 and Part 130 record-keeping and reporting obligations. Proactively identifying ITAR compliance risks in a company and establishing a targeted ICP that fits its business is a first step to preventing future violations and identifying potential past problematic transactions.

Enforcement

Both US persons and non-US persons can be subject to significant penalties and other consequences for violations of the EAR and ITAR. Both civil and criminal penalties can be assessed on companies and individuals, including criminal or deferred prosecution agreements for companies and imprisonment for individuals. In recent years, the US government, through its individual agencies, has intensified enforcement of US export control laws, assessing steep penalties and imposing other consequences, such as debarment from exports of ‘defense articles’ under the ITAR, placement on the BIS Entity List, restricting access to items subject to the EAR or the BIS Denied Persons List, and denying export privileges from the United States. These restrictions can have a significant effect on a company’s bottom line, cut off access to US-origin items, technology and software, and result in the investigation and prosecution of individuals within a company, among other things.

Penalties

Penalties for violations of the ITAR and EAR can be severe.[101]

For violations of the EAR, criminal penalties can include a fine of up US$1 million per violation for a company and up to US$1 million or imprisonment for up to 20 years, or both, for an individual.[102] Civil penalties can include penalties of up US$300,000 (adjusted annually for inflation) or twice the value of the transaction for each violation, whichever is greater.[103] Other penalties under the Export Control Reform Act include revocation of a licence issued by BIS, and prohibitions or restrictions on a person or company’s ability to export, reexport or transfer any items subject to the EAR.[104]

Criminal penalties for violations of the ITAR include a fine of up to US$1 million per violation for a company and the same monetary penalty or imprisonment for up to 20 years, or both, for an individual.[105] Civil penalties can exceed US$1 million per violation, as modified each year for inflation.[106] The ITAR also contain ‘statutory’ and ‘administrative’ debarment as both a civil and criminal penalty. Debarred persons are prohibited from participating in the export of ‘defense articles’ (including technical data) and ‘defense services’, directly or indirectly.[107] Settlements with DDTC are done under consent agreements.

In recent years, the use of monitorships to oversee a company’s compliance has been used by both BIS and DDTC and factored into the penalty assessment, as monitorships can last for years and be costly to the company under scrutiny. Other types of penalties include seizure and forfeiture of property, which may also be available in some enforcement actions under both the EAR and ITAR.

Voluntary self-disclosure

Companies seeking to mitigate potential penalty exposure may choose to file a voluntary self-disclosure (VSD) with the appropriate agency. Whether to voluntarily self-disclose an export control violation is a fact-specific decision. There are some benefits that may come with submission of a VSD, such as mitigation of penalties and credit for cooperation.

Although a VSD is by definition voluntary, there are situations in which a disclosure is mandatory, or in which a company finds itself in a situation of needing to disclose a prior violation. The ITAR, for example, require immediate notification to DDTC if there is a violation of the ITAR with respect to a country that is proscribed pursuant to Part 126.1 of the ITAR.[108] Certain ITAR consent agreements also mandate disclosure of violations.

The need to conduct activity on a forward-looking basis may also compel a disclosure as a practical matter. Under General Prohibition Ten of the EAR, it is prohibited to engage in virtually any activity with respect to an item that is known to have been exported in violation of the EAR. This means that any time a company wants to do something involving an item that has been unlawfully exported, it must seek BIS permission – which is often accompanied by a voluntary disclosure. Finally, under both the EAR and the ITAR, companies applying for a licence for forward-looking activity, when the applicant has been involved previously in substantially similar activity involving the same product and customer without proper authorisation, may also feel compelled to disclose past violations in an effort to avoid a ‘material omission’ in their licence application.

BIS strongly encourages the submission of VSDs by providing a 50 per cent reduction in the base penalty amount in most cases, with possible full penalty suspension for VSD cases with a combination of mitigating factors, such as cooperation.[109] Without a VSD, mitigation will generally not exceed 75 per cent of the base penalty.[110] BIS often closes VSD cases without imposing a penalty.

In addition, in 2023, BIS announced that the deliberate non-disclosure of a significant potential violation (meaning one reflecting possible national security harm, as opposed to minor, technical violations) would be treated as an aggravating factor to adjust the base penalty amount upwards.[111] BIS also announced that whistle-blowing of significant potential violations by another party that ultimately results in a BIS enforcement action will be considered a mitigating factor in any future enforcement action involving the whistle-blower, even for unrelated conduct. These policy changes are the latest initiative by the US government to incentivise corporate investment in export compliance by targeting companies involved in significant EAR violations. For instance, in a June 2022 memorandum designed to strengthen BIS’s administrative enforcement of US export controls, BIS announced, among other major changes, that it would fast-track VSDs involving minor or technical infractions while focusing BIS’s resource on investigating EAR violations that reflect serious national security harm.[112]

DDTC also strongly encourages disclosure and may consider the submission of a VSD to be a mitigating factor.[113] DDTC will also consider the failure to submit a VSD to be an adverse factor when determining the disposition of a case.[114] DDTC often resolves VSDs without imposing any penalties – typically reserving the imposition of penalties for more egregious cases threatening US national security, or cases where DDTC believes the exporter acted wilfully or with gross negligence.

For both DDTC and BIS, to be deemed voluntary a disclosure must be received before any government agency obtains knowledge of the ‘same or substantially similar information from another source’.[115]

Other US government agencies, such as OFAC and the Department of Justice, also have VSD rules that, depending on the scope of the violation, should be considered when evaluating whether to submit a VSD.

VSD rules are codified in each of the relevant regulations and generally include the opportunity for a high-level initial notification to the government agency followed in a timely manner by a full report of the potential violations. The timeline requirements for disclosures are found in each agency’s regulations.[116]

Other enforcement information

Key enforcement trends for both BIS and DDTC include the use of: (1) monitorships (or under the ITAR, a special compliance officer) to monitor a company’s compliance with the relevant regulations for a specified period after settlement and provide the results via written reports to the regulators;[117] (2) interim measures, such as placement on the BIS Entity List or revocation of export privileges, to encourage cooperation during an active enforcement investigation;[118] and (3) global settlements to address violations of various US laws involving related conduct.[119] More recently, particularly in the context of Russia-related enforcement, BIS has been relying on its power to issue temporary denial orders[120] when it deems doing so necessary to prevent an ‘imminent violation’ of applicable export controls.

BIS has published administrative enforcement guidelines ‘to promote greater transparency and predictability to the administrative enforcement process’.[121] These guidelines align fairly closely with those issued by OFAC, discussed elsewhere in this Guide. DDTC has not provided similar enforcement guidelines.

Conclusion

US export controls are a complex area of US law that can have a far-reaching extraterritorial effect if items, software or technology of US origin are involved. To ensure compliance, it is important to identify potential risk exposure under US export controls and design a compliance programme to address that risk adequately, such as implementation of appropriate due diligence and ensuring an understanding of items in the supply chain that may be subject to US controls. Not all US and non-US companies will have the same level of risk under US export controls, but failure to identify the potential risks can lead to serious issues for US and non-US companies alike.


Footnotes

[1] Meredith Rathbone is a partner and Ryan Pereira is an associate at Steptoe & Johnson LLP. The authors are grateful to Hena Schommer for her significant contributions and insights as a co-author of earlier versions of this chapter.

[2] 15 Code of Federal Regulations (C.F.R.) § 730 et seq.

[3] 22 C.F.R. § 120 et seq.

[4] See Expansion of Sanctions Against Russia and Belarus Under the Export Administration Regulations (EAR), 87 Fed. Reg. 22130 (8 April 2022); Implementation of Additional Sanctions Against Russia and Belarus Under the Export Administration Regulations (EAR) and Refinements to Existing Controls, 87 Fed. Reg. 57068 (15 September 2022).

[5] Implementation of Additional Sanctions Against Russia and Belarus Under the Export Administration Regulations (EAR) and Refinements to Existing Controls, 88 Fed. Reg. 12175 (24 February 2023).

[6] Memorandum on United States Conventional Arms Transfer Policy, National Security Memorandum/NSM-18 (23 February 2023).

[7] ibid.

[8] Additions to the Entity List; Amendment To Confirm Basis for Adding Certain Entities to the Entity List Includes Foreign Policy Interest of Protection of Human Rights Worldwide, 88 Fed. Reg. 18983 (28 March 2023).

[9] Bureau of Industry and Security, Human Rights FAQs (March 2023).

[10] ibid.

[11] Matthew S Axelrod, Memorandum for All Export Enforcement Employees: ‘Addressing the National Security Risk that Foreign Adversaries Pose to Academic Research Institutions’ (28 June 2022).

[12] ‘FinCEN and the U.S. Department of Commerce’s Bureau of Industry and Security Urge Increased Vigilance for Potential Russian and Belarusian Export Control Evasion Attempts’, FIN-2022-Alert003 (28 June 2022).

[13] See 37 C.F.R. Part 5.

[15] 15 C.F.R. § 730 et seq. The Export Control Reform Act (ECRA), 50 U.S.C. §§ 4801–4852 (2018), became law on 13 August 2018 and provides the permanent statutory authority for the EAR.

[16] 15 C.F.R. § 744 (Supplement 1).

[17] An organisation chart is available from the US Department of Commerce’s Bureau of Industry and Security (BIS), at www.bis.doc.gov/index.php/documents/about-bis/692-bis-organization-chart/file.

[18] 15 C.F.R. § 744.6.

[19] The term ‘export’ is defined at 15 C.F.R. § 734.13(a) and includes: ‘An actual shipment or transmission out of the United States, including the sending or taking of an item out of the United States, in any manner.’

[20] 15 C.F.R. § 734.14.

[21] 15 C.F.R. § 734.16.

[22] See 15 C.F.R. § 734.13(a)(2).

[23] 15 C.F.R. § 734.13(b).

[24] See 15 C.F.R. § 734.3.

[25] See 15 C.F.R. § 734.3(a)(4).

[26] See 15 C.F.R. §§ 734.3(a)(4)–(5) and 734.9.

[27] See EAR: Addition of Huawei Non-U.S. Affiliates to the Entity List, the Removal of Temporary General License, and Amendments to General Prohibition Three (Foreign-Produced Direct Product Rule), 85 Fed. Reg. 51,596 (20 August 2020); Amendments to General Prohibition Three (Foreign-Produced Direct Product Rule) and the Entity List, 85 Fed. Reg. 29,849 (19 May 2020).

[28] See 15 C.F.R. § 734.9(f) and (g).

[29] See Export Control Measures Under the Export Administration Regulations (EAR) To Address Iranian Unmanned Aerial Vehicles (UAVs) and Their Use by the Russian Federation Against Ukraine, 85 Fed. Reg. 12155 (24 February 2023).

[30] See 15 C.F.R. § 734.3(b) for a complete list of items that are not subject to the EAR.

[31] 15 C.F.R. Part 732.

[32] See 15 C.F.R. § 732.1(b).

[34] See 15 C.F.R. § 736.2(b)(10).

[35] See 15 C.F.R. § 736.2(b)(7). See also Federal Register: Expansion of Certain End-Use and End-User Controls and Controls on Specific Activities of U.S. Persons, 86 Fed. Reg. 4865 (15 January 2021) and 86 Fed. Reg. 18433 (9 April 2021); Imposition of Sanctions Against Belarus Under the Export Administration Regulations (EAR), effective 2 March 2022, 87 Fed. Reg. 13048 (8 March 2022).

[36] See 15 C.F.R. § 734.3(a) for a complete list of items that are subject to the EAR.

[37] For more guidance, visit BIS’s website or review the BIS presentation on how to classify your item, at www.bis.doc.gov/index.php/documents/compliance-training/export-administration-regulations-training/247-howtoclassifyitem-pdf/file.

[38] See, generally, C.F.R. § 736.2. The General Prohibitions provide the framework for restrictions on activities or circumstances when a licence may be required.

[39] See 15 C.F.R. Part 746. This part of the EAR, ‘Embargoes and Other Special Controls’, imposes comprehensive and targeted controls.

[40] 15 C.F.R. § 738 (Supplement 1).

[41] See Federal Register: Removal of Hong Kong as a Separate Destination under the Export Administration Regulations, 85 Fed. Reg. 83,765 (23 December 2020); Revision to the Export Administration Regulations: Suspension of License Exceptions for Hong Kong, 85 Fed. Reg. 45,998 (31 July 2020).

[42] See 15 C.F.R. § 736.2(b)(9).

[43] See 15 C.F.R. §§ 736.2(b)(5) and 744.21.

[44] See Federal Register: Expansion of Export, Reexport, and Transfer (in-Country) Controls for Military End Use or Military End Users in the People’s Republic of China, Russia, or Venezuela, 85 Fed. Reg. 23,459 (28 April 2020); Expansion of Export, Reexport, and Transfer (in-Country) Controls for Military End Use or Military End Users in the People’s Republic of China, Russia, or Venezuela (Correction), 85 Fed. Reg. 34,306 (3 June 2020); Burma: Implementation of Sanctions, 86 Fed. Reg. 13,173 (8 March 2021).

[45] See EAR: Addition of ‘Military End User’ (MEU) List to the Export Administration Regulations and Addition of Entities to the MEU List, 85 Fed. Reg. 83,793 (23 December 2020).

[46] See 15 C.F.R. § 746.8. See also, Federal Register: Implementation of Sanctions Against Russia Under the Export Administration Regulations (EAR), 87 Fed. Reg. 12226 (24 February 2022); Imposition of Sanctions Against Belarus Under the Export Administration Regulations (EAR), 87 Fed. Reg. 13048 (8 March 2022).

[47] See 15 C.F.R. § 746.8.

[49] BIS clarified its position in August 2020 here: Clarification of Entity List Requirements for Listed Entities When Acting as a Party to the Transaction Under the Export Administration Regulations (EAR), 85 Fed. Reg. 51,335 (20 August 2020).

[50] See 15 C.F.R. Part 744 (Supplement 4), Entity List.

[51] Additions to the Entity List; Amendment To Confirm Basis for Adding Certain Entities to the Entity List Includes Foreign Policy Interest of Protection of Human Rights Worldwide, 88 Fed. Reg. 18983 (28 March 2023).

[52] ibid.

[53] See, generally, 15 C.F.R. Part 766.

[54] BIS, Lists of Parties of Concern (footnote 48).

[55] See Revisions to the Unverified List; Clarifications to Activities and Criteria That May Lead to Additions to the Entity List, 87 Fed. Reg. 61971 (7 October 2022).

[56] 15 C.F.R. § 744.15(b).

[57] ibid.

[58] See Federal Register: Revisions to the Unverified List, 88 Fed. Reg. 17706 (24 March 2023).

[59] See 15 C.F.R. § 736.2(b)(3).

[60] 15 C.F.R. § 734.9(f) and (g).

[61] A ‘supercomputer’ is defined as a ‘computing “system” having a collective maximum theoretical compute capacity of 100 or more double-precision (64-bit) petaflops or 200 or more single-precision (32-bit) petaflops within a 41,600 ft3 or smaller envelope.’ 15 C.F.R. § 772.1.

[62] Implementation of Additional Export Controls: Certain Advanced Computing and Semiconductor Manufacturing Items; Supercomputer and Semiconductor End Use; Entity List Modification, 87 Fed. Reg. 62186 (7 October 2022).

[63] Implementation of Additional Export Controls: Certain Advanced Computing and Semiconductor Manufacturing Items; Supercomputer and Semiconductor End Use; Entity List Modification; Updates to the Controls To Add Macau, RIN 0694–AI94 (17 January 2023).

[65] See 22 C.F.R. Parts 120–130.

[67] See 22 U.S.C. § 2778. The Arms Export Controls Act of 1976, as amended (AECA) is the primary statutory authority for the International Traffic in Arms Regulations (ITAR).

[69] See 22 C.F.R. Part 121.

[70] 22 C.F.R. § 120.31.

[71] 22 C.F.R. § 120.33.

[72] ibid. The technical data definition also includes: classified information relating to ‘defense articles’ and ‘defense services’ (and some items controlled on the EAR’s Commerce Control List); information covered under an invention secrecy order; and software related to ‘defense articles’. See id., at § 120.33(a), Paragraphs (2)–(4).

[73] See 22 C.F.R. § 120.33(b). Generally, items in the public domain are public information, which is published, generally accessible or available to the public through news sources, libraries, unlimited distribution at conferences and trade shows, and available through unlimited distribution, not necessarily in published form, including fundamental research, as described in § 120.34(a)(8).

[74] See 22 C.F.R. § 120.31(b).

[75] The agency responsible for these reviews is the Department of Defense, Defense Office of Prepublication and Security Review; more information is available at www.esd.whs.mil/DOPSR/.

[76] See 22 C.F.R. § 120.32.

[77] See 22 C.F.R. § 120.62 for the definition of ‘person’ under the ITAR.

[78] 22 C.F.R. § 120.63.

[79] See 22 C.F.R. § 121.1.

[80] See 22 C.F.R. § 121(a)(2).

[81] See 22 C.F.R. § 120.41.

[82] ibid.

[83] See 22 C.F.R. § 121.11(c).

[84] The US Department of State’s Directorate of Defense Trade Controls’ (DDTC) website contains more information regarding commodity jurisdiction determinations, at www.pmddtc.state.gov/ddtc_public?id=ddtc_kb_article_page&sys_id=%20249f7c0adb6cf7007ede365e7c9619fd.

[85] See 22 C.F.R. § 122.1 (registration requirements for manufacturers and exporters).

[86] See 22 C.F.R. § 129.3 (registration requirements for brokering activities subject to the ITAR).

[87] See 22 C.F.R. § 122.1(a).

[88] See id., at § 122.4(a).

[89] See id., at § 122.4(b).

[90] See ITAR: Issuance of Open General Licenses 1 and 2, 87 Fed. Reg. 43366 (20 July 2022); see also, DDTC Issuance and Publication of Open General License Pilot Program Extended Validity Period (27 March 2023).

[91] See 22 C.F.R. § 126.1, see also 22 C.F.R. §§ 126.2 and 126.3 for suspension, modification or exceptions that may be granted by the Deputy Assistant Secretary for Defense Trade Controls.

[92] id., at 126.1(d)(1).

[93] See 22 C.F.R. Part 129.

[94] id., at § 129.2.

[95] id., at § 129.2(b)(1), Paragraphs (i) and (ii).

[96] See id., at §§ 129.2(b)(2) and 126.18, for further details regarding exemptions for intra-company, intra-organisation and intra-governmental transfers.

[97] See id. at § 130.9(a)(1).

[98] id., at § 130.2.

[99] See id., at §§ 130.7 and 130.9(b).

[100] ITAR Compliance Program Guidelines, Bureau of Political-Military Affairs Directorate of Defense Trade Controls.

[101] The relevant penalties to be considered include those set forth under the AECA, 22 U.S.C. §§ 2778–2780 (2012); ECRA, 50 U.S.C. §§ 4801–4852 (2018); and 18 U.S.C. § 3571 (2012) (the alternative criminal fine provision). Note that penalties provisions are frequently amended and penalty amounts are adjusted for inflation.

[102] See ECRA, 50 U.S.C. § 4819(b) (2018).

[103] See id., at § 4819(c)(1)(A) (2018).

[104] See id., at § 4819(c)(1), Paragraphs (B) and (C) (2018).

[105] See AECA, 22 U.S.C. § 2778(c).

[106] See 22 C.F.R. § 127.10(a)(1)(i) (‘for each violation of 22 U.S.C. 2778’).

[107] See id., at § 127.7.

[108] See id., at § 126.1(e)(2).

[109] 15 C.F.R. Part 766 (Supplement 1).

[110] ibid.

[111] Matthew S Axelrod, Memorandum for All Export Enforcement Employees: ‘Clarifying Our Policy Regarding Voluntary-Self Disclosures and Disclosures Concerning Others’ (18 April 2023).

[112] Matthew S Axelrod, Memorandum for All Export Enforcement Employees: ‘Further Strengthening Our Administrative Enforcement Program’ (30 June 2022).

[113] See 22 C.F.R. § 127.12(a) (2018).

[114] ibid.

[115] See, generally, 15 C.F.R. § 764.5(b)(3); 22 C.F.R. § 127.12(b)(2).

[116] See, generally, 15 C.F.R. § 764.5; 22 C.F.R. § 127.12.

[117] See US Department of State, Bureau of Political-Military Affairs, In the Matter of: Airbus SE (29 January 2020), at www.pmddtc.state.gov/sys_attachment.do?sysparm_referring_url=tear_off&view=true&sys_id=136d4db3db6204907ede365e7c9619ea, as an example under the ITAR; see also Judgment, United States v. ZTE Corp., No. 3:17-cr-00120-K-1 (N.D. Tex. 22 March 2017), as an example under the EAR.

[118] See Addition of an Entity to Entity List, 81 Fed. Reg. 12004, 15 C.F.R. Part 744 (2016) (adding ZTE Corporation and several affiliates to the Entity List).

[119] See Press Release, US Department of Justice, ‘Airbus Agrees to Pay Over $3.8 Billion in Global Penalties to Resolve Foreign Bribery and ITAR Case’ (31 January 2020), at www.justice.gov/opa/pr/airbus-agrees-pay-over-39-billion-global-penalties-resolve-foreign-bribery-and-itar-case.

[120] 15 C.F.R. § 766.23.

[121] See 15 C.F.R. § 766 (Supplement 1) (‘Guidance on Charging and Penalty Determinations in Settlement of Administrative Enforcement Cases’).

Unlock unlimited access to all Global Investigations Review content