DDTC Issues New Compliance Program Guidelines
The State Department’s Directorate of Defense Trade Controls this week released its long-awaited updated compliance program guidelines (see 2211100023), which are intended to outline and detail “key elements” of an effective compliance program, the agency said. The 63-page document includes instructions on how to design a program for defense companies and universities that deal with items controlled on the U.S. Munitions List, as well as sections on recordkeeping, reporting, International Traffic in Arms Regulations training, risk assessment audits and more. DDTC stressed that “scope of ITAR activity in which different organizations engage varies substantially,” and each compliance program “should be tailored to address each organization’s ITAR-controlled activities, risk factors, and size.”
The guidelines emphasize that commitment from management is “one of the most important factors in creating a deeprooted culture of ITAR compliance within organizations,” adding that commitment should extend to “managers at all levels within the organization.” The agency said managers should incorporate compliance into employee performance evaluations and CEOs or presidents of the company should “personally sign” an export compliance management commitment statement, which should be communicated to all employees
“Through their words and actions, management should encourage compliance and should discourage the prioritization of business or other interests over compliance,” the guidelines said. “Employees should have a high level of assurance that ITAR compliance is management’s greatest priority in all export-related decisions.”
The guidelines also said organizations should screen all parties in an ITAR-related transaction before doing business with them, including against the government's Consolidated Screening List, which includes sanctions implemented across the State, Treasury and Commerce departments. Organizations also should have a plan for how often they should screen their customers, DDTC said, and should assign recordkeeping roles and responsibilities to specific employees.
The agency stressed the importance of voluntary disclosures, saying early reporting of a potential violation can “mitigate an organization’s legal exposure.” Companies should have a “mechanism” through which employees can report suspected ITAR violations, the guidelines said, adding that the company must disclose a violation before the government becomes aware of it in order to receive any potential penalty mitigation credit.
“Accordingly, an organization that wishes to obtain the significant mitigation credit for voluntary disclosures should disclose any violations as quickly as possible to DDTC,” the agency said. “Failure to voluntarily disclose a violation may result in circumstances detrimental to U.S. national security and foreign policy interests and will be an adverse factor in determining the appropriate disposition of the matter.” DDTC said it reviews and closes most voluntary disclosures “without any administrative action.”
Organizations also should have an ITAR compliance manual, which provides “all employees with a written, authoritative source that sets forth the organization’s policies and procedures for ITAR compliance,” DDTC said. The export compliance team should “take the lead” in drafting the manual, which should be updated “periodically” for changes to any DDTC guidance, best practices learned, compliance vulnerabilities identified, key risk areas and more.