European Union: The European Commission Sets Out Its Expectations On Internal Compliance Programs For Dual-Use Controls

Last Updated: 13 August 2019
Article by Lourdes Catrain, Falk Schöning, Aline Doussin, Jérémie Charles and Eleni Theodoropoulou
Most Read Contributor in Belgium, August 2019

Compliance with export control laws is one of the main challenges of a compliance department. Yet significant personal risks for management have put the topic high on the agenda of legal/compliance departments. To enhance their level of compliance with these rules, the European Commission (commission) just published its recommendation on internal compliance programs (ICP) for dual-use trade controls (the guidance). The guidance contains legally nonbinding elements that should be considered by EU companies concerned by dual-use trade controls in designing an effective ICP.

Background

EU law imposes substantive rules for the export of dual-use items, which are implemented and enforced at the member state level. Dual-use items are defined as all goods, including software and technology, which can be used for both civil and military purposes. The EU dual-use regulation establishes a regime for the control of exports of dual-use goods, technology, and software outside the European Union. In its current form, the dual-use regulation does not contain ICP requirements with which companies must comply. Article 12(2) provides that, when determining whether to grant a global export authorization, competent authorities must consider the application by the exporter of "proportionate and adequate means and procedures to ensure compliance" with the dual-use regulation and the terms of the license. As a result, member states may require ICP implementation for simplified procedures or otherwise take it into account in their enforcement activities.1

In the past couple of years, discussions on the modernization of the dual-use regulation included a proposal for the introduction of ICP requirements for global export authorizations and EU General Export Authorisation for intracompany transmission of software and technology. The discussion was enriched by common approaches and practices concerning ICPs by various member states, which helped map the current state of relevant authorities' expectations for businesses. 

These elements resulted in the guidance, which provides for a framework to help exporters identify, manage, and mitigate risks associated with dual-use trade controls and ensure compliance with applicable laws. It also aims to help competent authorities in their assessment of risks when considering the issuance of individual, global, or national export licenses. 

The guidance builds on existing approaches in export control compliance, including in the context of the Wassenaar Arrangement, the Nuclear Suppliers Group, the results of the fourth Wiesbaden Conference (2015), and the 2017 U.S. export control and related border security program ICP guide.

Main principles

The guidance is not legally binding, but exporters' obligations and responsibilities stemming from the dual-use regulation are maintained. 

The guidance takes into consideration the particularities of each exporter. As a result, the scope and extent of ICPs in companies depend on the size and commercial activities of the company, the strategic nature of the company's items, possible end-use/end-users, geographic presence of clients, and the complexity of internal export processes. In other words, ICPs must be tailor-made for each company, easy to understand and follow, and capture the day-to-day operations in the company. 

In order to achieve this, the guidance recommends that companies hold a risk assessment before developing or reviewing their ICP, in order to determine their dual-use risk profile and identify relevant vulnerabilities. Such risk assessment should consider the product range, the customer base, and business activity that could be affected by dual-use controls. The establishment or review of the ICP should be based on the outcomes of such risk assessment. 

Finally, the guidance clarifies that, if a company holds a valid Authorized Economic Operator authorization, the relevant assessment of its customs activities may be taken into account for developing or reviewing their ICP. In this context, the authorities' prior review in the customs area may prove valuable in determining certain aspects of the ICP, such as physical security and record keeping.

The core elements of an ICP

The guidance contains seven main elements that are deemed to be the cornerstones of an effective ICP and may be used by exporters for benchmarking their compliance approach. For each element, the guidance describes the relevant objectives and authorities' expectations ("What is expected?") and the steps necessary to reach these objectives ("What are the steps involved?"). 

The seven elements are not an exhaustive list and include the following:

  • Top-level management commitment to compliance: Effective ICPs should be based on a top-down approach, through which management gives significance, legitimacy, and resources for the compliance commitments and overall culture in the company. This should be achieved through: (a) building compliance leadership; (b) drafting a written statement on internal compliance procedures; and (c) providing clear, strong, and continuous support to compliance. 
  • Organization structure, responsibilities, and resources: The implementation of compliance procedures relies on sufficient organizational, human, and technical resources. In this context, a clear organization structure and well-defined responsibilities contribute to minimizing oversights. This aspect should include: (a) written organizational structure identifying person(s) with the overall compliance responsibility; (b) well-defined roles and qualified personnel in relevant roles, protected from conflicts of interest and having the power to stop transactions that present risks; and (c) documented internal procedures (e.g., a compliance manual). 
  • Training and awareness-raising: Training is an essential aspect of ICPs, especially with respect to staff relevant to dual-use controls. Training may be conducted through external seminars, sessions by competent authorities, in-house training, or any other method. Importantly, training should be compulsory and regular for dual-use trade control staff, while all employees in a company must be aware of relevant risks and procedures. 
  • Transaction screening process and procedures: These procedures aim to collect and analyze relevant information to allow companies to determine whether a transaction involving dual-use items is controlled, and develop and maintain a standard of care for handling suspicious orders. Such processes and procedures concern the following elements: (a) products classification; (b) transaction risk assessment, including checks on sanctioned countries, screening of counterparties, diversion risks, and "catch-all controls"; (c) license determination and application; and (d) post-licensing compliance with the relevant license conditions. 
  • Performance review, audits, reporting, and corrective actions: This element refers to the review, test, and revision of ICPs and related internal measures at companies. It aims to ensure that the ICP is implemented in a manner consistent with applicable EU and member states' legislation and should include: (a) clear reporting procedures and escalation actions; (b) systematic, targeted, and documented audits; (c) control mechanisms as part of the daily operations; and (d) ways to ensure all employees feel comfortable reporting potential breaches, such as whistleblower policies and escalation procedures.
  • Record-keeping and documentation: Comprehensive record-keeping systems are crucial in contributing to effective audits, compliance with national document retention requirements (the dual-use regulation provides for a minimum document retention period of three years), and facilitating cooperation with national authorities. Such systems should include procedures and guidelines for: (a) storing legal documents, (b) managing records, and (c) tracing dual-use related activities. 
  • Physical and information security: Dual-use items should be protected through appropriate security measures addressing risks of unauthorized removal or access thereto. Ensuring physical and information security is vital for complying with applicable rules.  

The guidance also includes an annex of questions pertaining to a company's ICPs that may be useful for developing and updating ICPs. Finally, the guidance also contains a nonexhaustive list of "red flags" that warrant greater vigilance when detected in dual-use related transactions, pertaining to dual-use products, their end-use and end-users, the shipment process, and the financing conditions.

What changes for EU exporters?

The guidance aims to ensure that companies involved in the export of dual-use items have in place adequate and effective systems to track transactions, identify, and prevent potential risks, thus allowing compliance with applicable EU and national rules. 

The guidance constitutes a compilation of past experiences and best practices identified in relevant export controls regimes worldwide. However, the current dual-use trade controls regime in the European Union does not change and exporters maintain their responsibility to comply with obligations under the dual-use regulation. 

The guidance will contribute to crystallizing best practices in the area of export controls by setting the scene and appropriate benchmarks for EU companies when establishing their ICP.

Footnote

1 Note that member states such as Germany, the Netherlands, and the United Kingdom have published their own ICP guidance for exporters.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions