Article Bloomberg Law

INSIGHT: Trade Compliance Tips for Software and Web Service Providers

Technology companies face strict liability for violating economic sanctions and export controls. Kirkland & Ellis attorneys give tips on how these companies can make their trade compliance programs as cutting edge as their products and services.

Trade compliance professionals in technology companies face the unique challenge of designing risk-based compliance tools adapted to the latest innovations in products, web services, and platforms.

Though the U.S. government advocates companies implement risk-based compliance solutions, companies actually face strict liability for any violations of economic sanctions and export controls, and balancing compliance risks against the realities of the fast-changing tech industry can be especially difficult.

The following tips can help keep your trade compliance program as cutting edge as your products and services.

Calibrate Your Screening Program

Many customers demand instant access to products and services as soon as they set up an account. Companies face difficulties screening customers against U.S. government restricted party lists and clearing false positives at the fast pace that the market demands. Even temporarily approving a transaction while screening occurs can risk committing a violation. High customer volumes can make designing an effective screening program that can work at the speed of business especially challenging.

Additionally, customers that register for online services may have limited incentives to provide complete physical addresses, either because there is no need for shipment or for privacy reasons. However, accurate physical addresses can be vital for clearing parties in restricted list searches.

The Office of Foreign Assets Control (OFAC) has penalized companies for screening programs that do not catch subtle variations in names or addresses (e.g., spelling, capitalization). In light of these challenges, it is important to require and receive a meaningful amount of identifying information about counterparties in order to effectively screen and identify bad actors.

Although tech companies employing software engineers can be tempted to write their own screening programs, specialist third party vendors have finely tailored their products to the regulations and may be worth considering. Companies may also want to use a plug-in to verify that customer addresses are legitimate, or IP blocking to prohibit customers in embargoed countries.

Avoid Inadvertent Exports

A company must carefully determine whether it engages in exports, as failing to identify those scenarios can result in unwitting violations, which in the software and services space can quickly multiply. U.S. export controls reach beyond the shipment of tangible items abroad, and can include providing software online for local download or sending controlled technical data via email.

Providers of Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or Infrastructure-as-a-Service (IaaS) should not automatically assume their activities are not exports without first consulting the rules.

As of Dec. 26, 2019, both the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR) do not consider the sending abroad of certain unclassified technical data to be an export if the data is encrypted end-to-end using encryption modules compliant with the “FIPS 140-2” standard or its successors.

Compliance personnel for companies providing cloud-based solutions should ensure the company’s activities meet the applicable criteria.

Refresh Your Product Classifications

This year, the Commerce Department is likely to issue (or in any event, propose) new export controls on emerging technologies, which would subject additional products to licensing requirements. The forthcoming regulations are likely to impact the tech industry, including products related to artificial intelligence, microprocessors, autonomous driving, robotics and quantum computing.

Certain open source and publicly available products are not subject to the EAR, while other software and hardware implementing encryption is on the Commerce Control List. It is prudent to review classifications on a regular basis to account for any regulatory changes. Companies often implement an automated system to flag shipments that may require a license based on classification and end user.

Rely on Available General Licenses, But Carefully

Companies should also regularly review any applicable OFAC General Licenses or applicable License Exceptions in the EAR. To improve access to the internet and telecommunications, OFAC has issued General Licenses that authorize provision of certain types of software and technology to some sanctioned countries.

In addition, License Exception ENC in the EAR eliminates license requirements for many types of software that are only controlled due to encryption functionality. Reviewing and understanding these exceptions and their requirements, and refreshing the analysis often, can help in establishing a smoother supply chain and business model.

Avoid Deemed Export Pitfalls

Under the EAR and ITAR, the “release” of technical data or source code to a foreign national in the United States is considered to be an export to the foreign national’s home country (a “deemed export”).

As more companies rely on foreign nationals for software development and engineering services, the risk of unauthorized deemed exports has increased. Classifying products and technology is a good first step in determining whether restrictions apply to any foreign national employees.

Creating a technology control plan is another useful way to implement procedures to control employee access to restricted items or technology. Consult with labor counsel to check that such procedures are consistent with anti-discrimination laws and employee rights.

Remember Foreign-Made Products With U.S. Content

In addition to controls over products made in the U.S., U.S. export controls extend to products made abroad that contain more than the specified “de minimis” quantities of controlled U.S. content, or that are the “direct product” of certain types of controlled technologies.

As these rules are currently in flux regarding exports to countries such as China, maintaining a close watch on non-U.S. manufactured items and tracing U.S.-origin content are key compliance program challenges.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Mario Mancuso is a partner at Kirkland & Ellis and leads the firm’s International Trade and National Security practice. A former member of the president’s national security team, he specializes in counseling clients on international trade and national security matters, guiding clients through the CFIUS process, and resolving crises involving economic sanctions and export control-related investigations by the U.S. government.

Abigail Cotterill, of counsel in Kirkland’s Washington, D.C. office, regularly provides legal advice to companies, financial institutions, and private equity sponsors on the regulatory and other risks of operating or investing across international borders, with a focus on economic sanctions, export controls, and anticorruption.

Carolyn Schroll is an associate in the International Trade and National Security Practice in the Washington, D.C., office of Kirkland & Ellis LLP, focusing her practice in the areas of national security reviews by CFIUS, export controls, trade and economic sanctions, customs, anti-boycott restrictions, anti-money laundering regulations, and compliance with the U.S. Foreign Corrupt Practices Act.

Reproduced with permission. Published March 18, 2020. Copyright 2020 The Bureau of National Affairs, Inc. 800- 372-1033. For further use, please visit