Supporting you in your journey towards a complete Internal Compliance Program.
The Ultimate Guide To Export Control Compliance
Download The Guide
Introduction
What is Export Control Compliance?
„Export control“ is the laws and regulations applied globally, regionally, and by countries to manage the export (including transit, brokerage, technical assistance, and financing) of certain sensitive items like defense-related or dual-use items and technology. These items are controlled (and included in the so-called control lists) because their trading could threaten national or international security.
Internal Compliance Program
Taking into consideration rapid scientific and technological advancements, the complexity of today‘s supply chains, and the ever-growing significance of nonstate actors, adequate trade controls depend to a great extent on the awareness of companies and their active efforts to comply with trade restrictions. To this end, companies usually set internal policies and procedures, also known as an Internal Compliance Programme (ICP), to ensure compliance with international and national trade control laws and regulations.
The specific company‘s size and commercial activities usually determine the scope and extent of these policies and procedures.
Table of Contents
The Basics
Why should I have or get an ICP?
Why should you invest in an Internal Compliance Program? We are here to shed some light on the pros and cons. Please note that all of the here-stated cons are, in our eyes, in fact, pros. We‘ll explain why later on.
Pros
Allows to apply in Luxembourg for a global license, valid for up to 4.5 years
Simplifies license management
Focus on yearly reporting instead of applying for individual licenses for each transaction or customer
Demonstrates compliance in export control to Government, licensing authorities, suppliers, customers, and business partners
Is the result of a step-by-step process, raising internal awareness of compliance and taking into account the risk level of the company
Creates a valuable knowledge basis and working document for export control staff and all employees
Allows Management to sleep well, knowing that any violation of export control laws is heavily sanctioned by significant fines (in Luxembourg up to 1 million euros) and imprisonment (in Luxembourg up to 10 years)
Cons
It cannot be copy-pasted from other companies‘ ICP, as each company has different risks and tolerances, different products and customers
Requires a proper risk assessment (and an effort) before starting to draft the document
Needs that products are correctly classified about export control lists and have a correct CN number (see the template provided in Annex to the Luxembourg ICP Guidelines)
Needs periodic updates
Needs to be drafted in a language that can be read and understood by all employees
Convinced? Discover in the following chapters how to start your complete ICP in a structured way!
Do‘s and Don‘ts when starting the ICP process
We love to give you a headstart in your learning curve and share some valuable hints on avoiding significant pitfalls. Start by reading the most important Dos and Don‘ts.
Dos
Take a look at the EU Commission Guidance (Recommendation 2019/1318/EU of 30 July 2019 for dual-use items, Recommendation 2021/1700 of 15 September 2021 for research involving dual-use items, and Recommendation 2011/24/EU of 11 January 2011 for defense-related products)
Search for guidelines issued by your national licensing authorities (e.g., Luxembourg‘s OCEIT in 2020, Germany‘s BAFA, and Belgian Flanders Strategic Goods Control Unit)
Collect all national export control legislation (pay attention to EU legislation as well, e.g., for dual-use items) and have a look at websites issued by licensing authorities (e.g., Luxembourg‘s Guichet pages) and check if these are regularly updated
Collect any information on problems and questions that have appeared in the past
Verify if all your products have valid and checked CN (combined nomenclature in customs) numbers
Check if your products have been assessed in the past against export control lists in the field of military or dual-use items
Have a look at how your company is currently screening your customers against sanctions lists and operating due diligence and know-your-customer processes for customers and end-users of your products
Don'ts
Do not envisage to copy-paste any other company‘s ICP
Do not rely on third parties promising to sell you ready-made ICPs
Do not think that you can draft and submit your ICP within two weeks
Do not start on the basis that your ICP will be done without any internal resources from your side (in particular, input and assistance from the compliance team, product engineering, customer relations, sales department, and management)
Do not think that the ICP is a one-shot excerise (as it requires periodic updates and auditing)
How to choose an external consultant for the ICP process?
The perfect external consultant should be characterized by experience, competence, and up-to-date knowledge. Let‘s dive deeper!
Suppose you need help with compliance and have unanswered compliance questions. In that case, if your export department is understaffed or time is missing to approach the drafting of a company‘s ICP, you may want to engage an external consultant.
The process of selecting a compliance consultant should not be taken lightly, as your choice may significantly impact your business financially and operationally. Here are a few things to think about when going through this process.
Verify if the consultants have the necessary experience and qualifications to help you and your company.
The consultants should have many years of highly relevant experience in export control compliance. If he (she) is a lawyer, ask him (her) what type of companies he has already assisted in setting up an ICP.
If he (she) has an industry qualification, ask him (her) about publications or interpretations of legal texts. A good consultant should have both excellent legal skills and an understanding of corporate issues acquired through relevant work in the industry or by assisting industrial companies.
Test the consultants’ knowledge.
Ask them questions about export compliance. An excellent one: „What is catch-all for dual-use”? The consultant should be able to answer all your questions (also that one) in a way that you understand clearly.
A No-Go: Using only legal language. Required: A structured reply with a clear statement at the end, ready to be taken forward in your compliance work without further clarification.
Check if the consultant keeps up-to-date with regulations.
Good consultants advise and train clients all day long. They provide clients or the general public with newsletters and speak at conferences. They attend external seminars. Every day, they review all new rules and regulations in export control.
Ask a recent export control compliance question to check if they are up-to-date. For example, about the goods for which the EU is adopting export limitations in Hong Kong. The reply should be concise and clear: “Sensitive equipment and technologies for end-use in Hong Kong, where there are grounds to suspect undesirable use relating to internal repression, the interception of internal communications or cyber-surveillance. Based on the EU Council conclusions of 24 July 2020, but not yet integrated into binding EU decisions or regulations.”
Ask for references.
Consultants usually do not release clients’ names without their prior consent. But appropriate references or client testimonials may be given. Ask licensing authorities in your country if they know the consultants you want to engage with. Google the consultants’ names and see if search results (should be top-ranked) are related to their specific experience in export control compliance. Refrain from engaging consultants who offer compliance services but in other fields (like finance, where there are many of them around).
ICP Scope
The past pages have introduced you to the do‘s and don‘ts in setting up an ICP, selecting an external advisor, obtaining management support, and dedicating internal resources to accompany the ICP process.
Where now to start? Not all and everything has to be part of the Internal Compliance Program. But regulators expect to see in your ICP a certain number of points that are covered.
Have a look on guidelines issued by licensing authorities.
You may look at the EU Commission Guidance (Recommendation 2019/1318/EU of 30 July 2019 for dual-use items, Recommendation 2011/24/EU of 11 January 2011 for defence-related products).
Please also read the guidelines issued by your national licensing authorities (e.g., Luxembourg‘s OCEIT, Germany‘s BAFA, Belgian Flanders Strategic Goods Control Unit). For those interested in the US perspective or companies affected by US legislation, you may refer to the U.S. Department of Commerce, Bureau of Industry and Security (BIS) guidance issued in January 2017.
All of these guidelines indicate some core elements every ICP should have. But do not neglect that if your company is part of a worldwide operating business, your group may already have some ICP or compliance policy.
ICP Structure
There is no legal requirement on how to structure your ICP document. An ICP must be tailored to the business’s size, structure, and scope, especially your company’s business activity and related risks.
You should structure your ICP into different chapters and define each of these chapters as a sub-project within your ICP drafting process (and possibly with different intervenants).
We generally recommend a ten-point ICP structure.
- Top-level Management Commitment
- Applicable Legislation
- Risk Assessment
- Organization, Structure, Responsibilities & Resources
- Training & Awareness Raising
- Transaction Screening & Procedures
- Item Classification
- Transaction Risk Assessment
- License Determination & Applications
- Post-Licensing Controls (incl. Shipment Control and Compliance with License Conditions)
- Recordkeeping & Documentation
- Physical & Information Security
- Performance Reviews & Audits
- Internal Reporting & Corrective Actions
This structure does not mean you have to start your process by dealing with point 1 and finish with point 10.
Your Management will commit to export control compliance while validating your ICP.
We suggest starting with Risk Assessment (chapter 2), followed by the other topics in a more or less parallel way of working. Finish with the chapter on management commitment, which will become the first ICP chapter to be read by authorities.
The Importance of Management Commitment
The last exercise (even if it will be the first chapter of the ICP) before seeking approval of the ICP by the Management resides, often in parallel to the approval procedure, in getting a firm top-level management commitment.
A factor in determining the success of the ICP
Management support is essential in ensuring that the Internal Compliance Program is legitimized, receives adequate resources, and is fully integrated into the company’s daily operations.
The ICP has to foster a compliance culture throughout the company. Company staff and Government authorities must read from this document that there is a clear commitment to respect and comply with trade controls and to ensure that any compliance measures are effective and supported permanently. At the same time, it must promote an openness to self-reporting of possible trade control violations.
The Management must buy into and commit to the program’s success through the statement. There is no general template to be recommended to exporters while drafting the text of the Management commitment. This is a case-sensitive exercise, considering the risk associated with the company’s operations, products, services, customers, and corporate structures.
In the 2020 Guidelines, the Luxembourg authorities have indicated several points that will be checked for the ICP to pass validation.
The management commitment must:
- Clearly state the company‘s commitment to trade controls applicable to sensitive products and services
- Explain the primary purpose of export controls
Say that under no circumstances the company’s export policy will not be compromised for commercial gain - State that it is the responsibility of the company and its employees to be familiar and compliant with export controls
- List specific risks as they relate to the company’s products, technology, destinations and activities
- Describe penalties for non-compliance
- Affirm appropriate resources to be dedicated to export control compliance
- Appoint individual persons to be responsible for the dissemination of the statement within the company, and the processing of any question concerning the legitimacy of a transaction or potential violation should be referred to
- Indicate the means Management will use to build a pervasive compliance-oriented corporate culture
- Indicate the means with which employees will have access to Management Commitment and ICP
Risk Assessment
You have had a look at guidelines issued by licensing authorities. You have structured your ICP into different chapters. This chapter will guide you in properly assessing your business risk and building the foundation to customize the program.
Start with the Risk Assessment
We recommend starting with the risk assessment. During this process, you shall carefully assess the product range, customer base, and business activity that are or could be affected by trade control measures. It should identify relevant vulnerabilities and risks so the company can incorporate ways to mitigate them under the ICP. Even though this risk assessment cannot identify all vulnerabilities and risks your company may face in the future, it will give the company a better base to develop or review its ICP.
You will not need to start from scratch when designing your ICP if you already have internal control processes. The exercise will then help you assess your existing corporate policies and procedures against export control-related risks and devise a course of action for adapting them, if necessary.
In addition, promoting synergies between existing policies and export control requirements is a further step to consider from the beginning. For instance, if available, it is a good practice to insert cross-references to export control principles and requirements in your code of conduct. The outcomes of this risk assessment will affect the necessary actions and appropriate solutions for developing or implementing your company’s specific compliance procedures.
There is no “one-size-fits-all” template.
The risk assessment should review the company from top-to-bottom and assess its touchpoints with the outside world. The goal is to identify potential areas of risk. It should at least:
- Describe the company profile and corporate structure, including locations, activities, or business partnerships outside your country of head office
- Indicate the business activity & type of customers, supply chain, intermediaries, consignees and end-users
- Detail the geographical location of the customers and the destination of exports or services provided
- Describe (all) the goods and services handled or provided by the company, even those not listed in relevant export control lists (catch-all!)
- Expose the end-use (military/civil/dual) of the company products
- Please describe how the company has organized its export process (starting with the initial customer request until shipment)
- Indicate how the company has set up and ensured compliance with export control regulations in the country of its head office and abroad (destination countries of exports and services, location of business partners)
While implementing this risk assessment, it is advisable to be transparent and better show risks and measures taken or to be implemented to master them rather than hiding relevant information. To allow licensing authorities to get an accurate and complete overview of the company, its products, and its customers, it must be complete (regarding companies part of the group, customers, business partners, goods, etc.). Demonstrate a professional approach to gain trust. Be concrete, and do not use general wording.
Collect Documentation for the Risk Assessment
You have started the Risk Assessment chapter. What background information do you need to collect?
Your risk assessment process should start with collecting documents and information on your company‘s product range, customer base, and business activity:
Corporate documents
- Articles of association
- Registration certificate (trade register,…)
- List of shareholders
- VAT number
- Group structure chart
- Corporate documents of parent company and subsidiaries
- List of participations held (name of the undertaking, number of shares, ownership percentage, net equity, financial results)
- Address of head office and locations within your country and abroad
- Management structure, with CVs of managers
- Annual accounts for the last three years
- Description of company history (mergers, development of product range)
- Staff statistics (total number of staff, employees involved in export-related functions)
Business activity
- Activity reports for the last three years
- Pictures of locations
- Ongoing development projects
- Domestic and foreign divisions/offices/facilities that have a role in export transactions
- Description of industry sector and business model
- Turnover by category of activity and geographical markets
- Field services performed
- Steps of current order & shipping internal process
- Document flow chart
- General and specific terms and conditions
- Competitors within the industry sector
Product range
- Product description (technical specifications), pictures, and examples of the application for each product (category)
- Products marketed by other group companies (short description)
- Product classification under TARIC (CN nomenclature), military & dual-use lists (existing classification sheets)
- End-use of the company‘s products
- Export restrictions related to the company‘s products
Continue with your customer and country profile to generate a complete picture.
Customer Profile
- Number and description of customers within the EU and outside the EU
- Customers with repetitive sales / single transactions
- Number of shipments EU / third countries
- Limitations with regard to geographical markets developed
- Customers re-exporting products supplied to them
Country profile
- Description of countries of establishment of customers
- Countries of transit
- Countries of end-destination
- Sanction & embargo countries where customers are located
Explain your corporate structure
Licensing authorities like being provided with a complete overview of the company‘s structure before reading further on export control issues. So, provide details of your company‘s name and trading name, corporate purpose, articles of association, head office address, registration, VAT and business permit number, phone and email, and logo. Do also list all domestic and foreign operating divisions, offices, and manufacturing facilities. Say a word on the place of your company within your group.
Who are your parent company and other companies in the same group? Provide underlying corporate documents for those. Adding a group structure chart to your document is good business practice.
Does your company have subsidiaries in your home country or abroad? If any, provide information on their activity and any export control-related issues. Give a list with the name of the undertakings, the number of shares your company holds, ownership percentage, net equity, and financial results.
You must indicate your company‘s shareholders. It is particularly relevant for authorities to know who has a say in your company, the majority shareholders, how voting rights are distributed, and who are minority shareholders. Attach all relevant corporate documents to your ICP manual. Tell your readers about the company‘s founders, initial business idea, product range development, business model, and customer profile over time. Lose a word also if your company or group has been subject to mergers.
Management Structure
Licensing authorities are particularly interested in knowing who manages the company.
- How are your corporate bodies structured?
- Who currently sits on the management board?
- Are those managers experienced?
- What were their previous career steps (provide CVs)?
- Who can legally commit the company (list of authorized signatures)?
- How is the company structured from an operational point of view?
- Who reports to whom?
- How many human resources are dedicated to the company in the different divisions and locations?
- How many employees are involved in export-related functions?
Show your business activity
Regulators like to be updated on your business activity. Do them that favor and tell them if your company is a manufacturer, a reseller, a distributor, an integrator, a provider of technical assistance or technology transfer, or a broker. Present the part of turnover (based on the latest audited annual accounts) in each of these activities and product categories.
In what industry sector are you working? Is there a significant compliance risk for this industry? For what reasons? Do you know about any violations of export control compliance regulations by competitors and the reasons for these violations?
Who are your main competitors for each of the products and activities? What is your market share in the different territories?
What is the market size for your products and activities?
What is your product portfolio history? Some words about innovation and research & development activities? Public funding received?
What are the types of customers you are serving? Public authorities or entities, Government, defense companies, private companies, individuals? Do you pass by intermediaries, like resellers, distributors, or integrators?
How are our products sold? Under your corporate brand, co-branded, or with a private label?
Does your company perform field services? How many orders are you processing monthly?
Are you inviting overseas entities to send representatives to your facilities for periodic training, product updates, or enhancements you hope to market?
Some tips: Try to be as exhaustive as possible in this chapter. Produce graphs and pictures of your activity. Do not limit your developments to export-controlled products or activities, as this could give an incorrect view of your overall risk exposure. Be as neutral as possible regarding competitors.
Describe your customer base
Tell your readers a maximum about your customers. Names are not required, but provide a total number of customers. In what industries are they active? Are your customers the end-users of your products? Or are they intermediaries or distributors? Are they integrating your goods into their articles that are subsequently put into further articles before sale to the final end-user? Are your customers re-exporting to other countries? Have you obtained end-use certificates from your customers?
The nature of your customers is a risk criterion. If they are end-users, you are mastering the end-use of your products. If your products are resold or integrated into other goods, you have more difficulties tracing the shipment route and end-use, which means more risks from an export control compliance point of view.
Where are your customers located? What is the proportion of customers inside/outside the EU? Which are the countries where most of your customers are established? Use graphs to show the main results of this assessment, and do it by business unit and/or product category. Make an assessment regarding non-EU countries by detailing how many sanctioned countries (subject to embargoes) and sensitive countries (regarding proliferation, arms embargo, and respect of human rights) your customers are located. A good business practice is to insert a table per product category, with country name and code, EU/third country, number of shipments (over the last three years), quantity, value, number of customers, and rank. Say a word if your marketing policy excludes certain countries from your target list.
What is the relationship with your customers? How many customers are long-known clients, and how many are new? What is the proportion of repetitive sales compared to single transactions? Do you sell through an e-commerce shop? If yes, what is the proportion of such sales compared to total sales figures? A stable customer base is an essential asset in risk determination and is worth mentioning.
Describe your product portfolio
Before starting, please remember that you should give an overview of all your products, not only those that you deem relevant for export control. Taking it the other way around would alter the actual risk level to what your company is exposed to.
In this section, describe the products you manufacture, integrate, and/or resell. Please add pictures of the products here and give examples of the application of these products. In what form are they found or manufactured? What are their ingredients? What are their specific features and characteristics? For what are they used? Are there competitors out there for the same products? Avoid too technical language here, as the purpose is to give your reader a complete but concise overview of a risk assessment objective. Technical details may be added to the product classification sheets (more on later).
Regarding product classification, you should provide a rough understanding of the classification process followed by your company. Who is classifying? Are all products classified according to the templates (if they exist) provided by licensing authorities? You may give a graph showing the process flow and approval procedure here.
What are the customs codes (CN, according to TARIC, for EU exporters) you are using for your products? How are the products classified under currently applicable dual-use and military control lists?
Are there any restrictions if your goods are strictly civilian? Have you applied for and been granted (or refused) licenses, and for what type of product (please provide a list of licenses)? Describe those products listed as dual-use or military items in more detail.
Indicate your order/shipping process
In the previous steps of the process, you have presented your business activity, your products, and your customers; before proceeding to the Risk Matrix, the final step of your risk assessment process, you should lose some words about your order and shipping process.
Speak about order handling. How are orders accepted and processed in your system? What are specific requirements (e.g., an active customer account, product reference numbers, acceptable order quantities,…)?
What happens in case a customer is canceling an order? How are sample requests handled? Are reports on open orders issued? How are orders transmitted to production? How are product classification numbers considered in the process? Speak about customer master data.
The following section here is order delivery. What are the steps required to create a delivery? How are delivery notes issued? To whom are delivery notes transmitted? What about amendments to delivery notes? How are specific transportation requests handled? How are shipping documents created?
When are orders invoiced? By what means? What about price quotations (information and conditions included, special prices and terms, rebates and discounts, and pricing reports)?
Provide insights into your processes related to credit notes, debit notes, invoice cancellations, and returns. Are there any credit control steps involved? How are contracts and arrangements handled?
What about inter-company transfers? Are there any global work rules? How is export compliance integrated into all these steps? How are audits performed? What about record-keeping and –retention?
How is your company performing customer service? Speak about customer satisfaction, delivery to promise, on-time delivery, customer surveys, handling of customer complaints, training and development, and sales support teams.
Risk matrix
Now that you have exposed, in a series of sections, your export compliance risk about your business activity, products, customers, end-users, and end-uses, as well as your order and shipping process, the time has come to conclude this risk assessment chapter (the second one of your ICP). During this exercise, you have identified vital risks (external and internal) faced by your company and tested the controls you have in place to mitigate these risks. You can now measure the total exposure your company has to the risks it faces and plan actions to reduce these risks.
The risks could appear on the level of the exports (exports without any authorization, unauthorized release of sensitive information or controlled technology) of your organization (weak or missing compliance structure, unclear product classification about control lists, lack of communication within the organization, underdeveloped or missing export compliance procedures) and your customers (unknown end-users or end-uses, unawareness of diversion risk). A good business practice consists of visually presenting these risks in a table or graph, providing the reader with a straightforward corporate risk self-assessment, thus enabling them to understand the actions and processes you will expose in the coming chapters of the ICP.
An approach could be to classify all risk factors into a “low,” “moderate,” or “high” risk. For example, when speaking about customers, a stable and well-known customer base in a localized environment and few higher-risk customers demonstrate low risk. A changing customer base and a moderate number of higher-risk customers are signs of a moderate risk. A large fluctuating client base in an international environment and many higher-risk customers prove the risk is high.
Calculating the residual risk, which remains after controls are applied to the inherent risk, is also widely adopted. It is determined by balancing the level of inherent risk with the overall strength of the risk management controls. For example, when inherent risks considered low are only controlled at less than 75 %, the residual risks will be qualified as high. On the contrary, when intrinsic risks are held at 90-100 %, the residual dangers are low.
A well-known process is also to identify the risks in a column and link any of these risks to a risk mitigation tool in the second column of a table. For example, if the main risk is to export controlled goods without authorization, the preferred tool should be to develop and use a license determination matrix.
Legislation
Being aware of export control rules
Now that you have concluded your risk assessment chapter (the second, and a very important one, of your ICP), it is time to move on. In a third chapter, you must demonstrate that you are mastering the laws and regulations governing your exports and other controlled operations on sensitive goods.
Again, there is no one-fits-all text we can recommend. Even if the EU Guidelines do not provide specific guidelines for that point, drafting a particular chapter dealing with the applicable legislation fulfills a double purpose.
First, you should see the ICP as an internal working document for daily operations. As such, the chapter dedicated to applicable legislation has to provide internal users of the ICP with a complete and detailed overview of the legal framework of export control compliance.
It should, therefore, contain precise legal references where to find the laws and regulations to which the company is subject, and, above all, with (legally justified) answers to detailed questions.
Secondly, it should demonstrate to licensing authorities that the program you have implemented is built on the right foundations and that you are entirely aware of the rules covering export control and the penalties it may face in case of violations of the laws and regulations.
Here are a few tips on how to approach this chapter:
- Begin by collecting and attaching complete legal texts applicable in your jurisdiction to the ICP document (preferably as an annex because of volume). Go for consolidated and updated versions of the legal texts.
- Continue converting the legal text set to an explanatory document, focusing on controlled products, operations, authorizations, and fines. Exclusively use a simple (not legal) language because you want your readers (mainly not lawyers) to understand easily.
- Add, at any place, references to legal texts (for example: “Law of (date), art. (number), paragraph (number)”, or “EU Regulation 2021/821 on dual-use items, art. (number)). Add a reference to the annex if the relevant legal text is reproduced in the attachments to your ICP document.
- Integrate FAQ (frequently asked questions), which you can enlarge with subsequent updates, as a specific section of this ICP chapter.
- Ensure that you are covering all jurisdictions applying to your activity. You must demonstrate that you have analyzed and integrated into the ICP relevant legislation of countries other than your home country because they are destination countries of products or services, or geographical location of affiliated companies or corporate sale agencies, or location of customers or business partners and have therefore an impact on overall, worldwide, compliance. If your company has its headquarters in country A and a link in country B, your chapter should cover countries A and B’s respective export control regulations. As this can be tough for multinationals, respect point 6 hereafter.
- Graphically describe applicable legal rules. One basic approach could consist of creating a table with four columns: the first one dealing with goods (dual-use, military, civil,…), the second one indicating the different operations (export, import, transit, technical assistance, brokerage …), and the third one the possible restriction (prior authorization requirement, prohibition, no restriction) for each product/operation. The fourth column would indicate the legal basis for each of the results. Use additional notes to explain the steps or precisely the meaning of legal wording, e.g., in a note section or footnotes.
- Be concise but precise and complete. Be aware that any modification of relevant laws, regulations, and rules on export control must generate an update of the ICP document.
Organization, Structure, Responsibilities & Resources
Export Control Compliance Officer & Staff
Sufficient organizational, human, and technical resources are essential for effectively developing and implementing compliance procedures. Without a clear organizational structure and well-defined responsibilities, any ICP risks suffering from a lack of oversight and undefined roles. On the contrary, having a solid structure helps organizations solve problems when they arise and prevent unauthorized transactions.
The level of sophistication of a company’s internal compliance controls will depend on the nature and scale of the business and the risk level defined in the ICP. What is essential is that policies, procedures, and controls be carefully thought out, clearly set down in writing, and effectively communicated to all employees, agents, and business partners.
Consider the following when setting up an appropriate compliance structure and the relevant chapter in the ICP:
- Determine the number of trade control staff, considering legal and technical aspects that must be covered.
- Set the internal organizational structure in writing (for instance, in an organizational chart that identifies, defines, and assigns all compliance-related functions, duties, and responsibilities).
- Identify and appoint the person(s) with the overall responsibility to ensure the corporate compliance commitments. The ICP should demonstrate that the Export Control Compliance Officer (or a person with a similar function) has a direct line of communication with the Board of Directors and Senior Management, is knowledgeable concerning the applicable international and national regulations, and has a good working understanding of the company’s products, services, technologies, suppliers and customer base. They should have full authority to look into all compliance-related matters and assemble a project team to address and resolve problems when they arise.
Compliance-related duties & responsibilities
Ensure that an equally qualified substitute can assume the task in case of absence (such as sickness, holiday, and so on).
Define, assign, and connect all compliance-related functions, duties, and responsibilities in an order that ensures the management that the company conducts overall compliance.
Staff all export control-related business areas with employees who demonstrably have the required skills. At least one person in the company is (not necessarily exclusively) entrusted with a trade control function. If national legislation is not opposing, this function can be shared between corporate entities within the EU as long as an appropriate level of control is maintained.
Define the knowledge and skills that legal and technical dual-use trade control staff need. As appropriate, include individual compliance responsibilities in job descriptions and personnel performance evaluations.
Include portrait pictures, detailed job descriptions (in the main document), and your compliance team’s curriculum vitae (in attachment), with a focus on studies, qualifications, and training in trade control management.
If trade control duties are outsourced, organize and describe the interface and communication with the company.
Corporate compliance commitments
After appointing qualified staff to your export control department, you must create an environment where they can ensure corporate compliance commitments.
You should protect your dual-use trade control staff as much as possible from conflicts of interest. Such a situation could occur if your compliance personnel is located within the sales department or a business unit sourcing their salaries. There may be a conflict of authority if compliance officers report to multiple departments, such as Operations or Legal. It would help if you aimed to simplify the structure and reduce the burden for compliance officials to report and address issues.
In that perspective, your compliance should have direct access to management and the power to stop transactions – or inform the responsible compliance officer directly of any potential violation of export control regulations – at any time during the order and shipping process.
This staff should be independent and allowed to function as expert advisors to guide company decisions, resulting in compliant transactions.
The question of centralizing or decentralizing the compliance department may receive different replies. Some companies may designate a single employee or department to manage the ICP and coordinate export compliance responsibilities with the other offices or locations. However, the program can also be decentralized, with one office providing general guidelines and leaving each operating unit to act independently.
Whatever the structure, compliance officials should be provided with all necessary resources. Among them is access to the relevant legislative texts, including the latest lists of controlled goods and lists concerning embargoed or sanctioned destinations and entities. A practical tool is to check customers and end-users against restricted party lists.
Management should support the compliance team in its critical work. Such support could take the form of distributing appropriate operational and organizational processes and procedures relevant to dual-use trade controls to all relevant personnel, ensuring that, at any time, your company has an up-to-date compilation of the documented processes and procedures (e.g., in a compliance manual).
Get people together on export control issues through management support meetings and training. The responsibility of the compliance officer for the daily monitoring of official announcements and press releases from regulators should be determined.
This responsibility should include developments or enforcement actions that could impact the company’s line of business or its suppliers, the communication of changes in regulations, policies, or procedures to company personnel using in-house emails, newsletters, announcements, or notices posted on the company intranet, and the communications with regulators for all compliance-related issues.
Training & Awareness Raising
Training and raising awareness on trade control is essential for staff to perform their tasks and take compliance duties seriously. It is critical due to the dynamic nature of international and local trade control regulations, sanctions, and embargoes. All compliance policies, procedures, and “best practices” worldwide are worthless unless employees know, correctly understand, and follow them. Even worse, they may create a sense of false security.
When setting up an adequate export control training, you may consider the following:
- Ensure the trade control staff knows all relevant export control regulations, the company‘s ICP, and all amendments.
- Use different types of training, e.g., workshops, webinars, external seminars, subscriptions to information sessions offered by competent authorities, and in-house training events.
- Include self-guided training by digital means.
- Offer customized training upon staff request.
- Carry out awareness-raising on export control issues for employees at all relevant levels.
- When possible, incorporate lessons learned from performance reviews, audits, reporting, and corrective actions in your training or export awareness programs.
- Ensure that corporate training programs are conducted regularly and frequently enough.
- Pay attention to the fact that deadlines for completing or renewing training are enforced.
- Ensure that training content is being updated.
- Deploy every training with a closing test or questionnaire to verify knowledge retention.
In your ICP, you should:
- Appoint the person(s) responsible for overseeing export compliance training.
- Appoint the (internal and/or external) trainers nominated to conduct the export compliance training and include their qualifications for export control issues.
- Indicate staff to be trained (with a timetable for new and existing employees).
- Mention the types of tailored training to be provided.
- Define the topics of the training to be provided to senior management, to all new employees (introductory training), to employees with export-related jobs (intermediate training), and to export compliance personnel (advanced training).
- Describe measures foreseen to implement awareness-raising activities.
- Mention how often training will be provided and/or required.
- Describe the means to document training and maintain detailed training records.
- Indicate the means to keep training materials relevant and up to date.
- Define how results performance reviews, audits, reporting, and corrective actions will be integrated into training or trade control compliance awareness programs.
Transaction screening & Procedures
Transaction Screening
Regarding operational implementation, transaction screening is the most critical element of an Internal Compliance Program (ICP). This element contains the company‘s internal measures to ensure that no transaction is made without the required license or in breach of any relevant trade restriction or prohibition.
The transaction screening procedures collect and analyze relevant information concerning item classification, transaction risk assessment, license determination and application, and post-licensing controls. Transaction screening measures also allow the company to develop and maintain a certain standard of care for handling suspicious inquiries or orders.
To prepare this core chapter of your company’s ICP, you should review and document accordingly:
- How do you handle item classification for goods, software, and technology regarding export control lists?
- How is your company checking trade-related embargoed, sanctioned, or sensitive destinations and entities?
- How are you integrating customer due diligence in your daily operations?
- If and how are you screening stated end-use and involved parties?
- How are you assessing diversion risk screening, meaning the possible misuse of your dual-use items in the context of, e.g., conventional military or WMD proliferation?
- The way you are managing catch-all controls for non-listed dual-use items.
- How have all relevant employees been rendered attentive to and verified possible red flags relating to suspicious customer inquiries?
- The process you have in place to determine license requirements and license application as appropriate, including brokering, technical assistance, and transit activities.
- How are you implementing and keeping records of post-licensing controls, including shipment control and compliance with the conditions of the authorization?
- The internal process you have in place for keeping export control records and documentation safe and accessible.
All these points must be integrated into your ICP to demonstrate to licensing authorities that you have correctly assessed your export control risks and have appropriate internal proceedings in place to manage those risks.
Product classification
As an exporting company, you are deemed to know your products and screen them against the applicable trade regulations and control lists, starting with determining what CN code is given to your products.
What should your ICP manual contain in terms of product classification?
Before starting, please consider the current classification of your product portfolio that has already been issued and integrated into the Risk Assessment chapter of your ICP. In the Transaction Screening chapter, you must display your company’s internal proceedings to ensure proper classification of existing and new products.
First, start telling licensing authorities who the engineers who classify your products regularly and who the persons responsible for legal assessment and validation of the classification are.
Secondly, indicate and display the item classification sheet you are using. Such a classification sheet shall document why the concerned item falls in a particular category of a control list, noting the specific parameters and subparagraphs of the CN, dual-use, or military lists. It shall also document if the product is mentioned in the sanctions regulations against a particular country and if authorization is required for export, transit, import, technical assistance, brokering, or technology transfer of such product. In Luxembourg, for example, authorities have issued and made available in their 2020 Guidelines a template sheet that may be used for the different classification steps.
The classification sheet should leave enough room for a reasoned and structured assessment. For example, if the use of the correlation table has resulted in one or more potential dual-use codes, take one code after the other and assess if the description of this code (including technical notes and definitions that may appear on different parts of the control list) correlates with the technical specifications of your product.
To facilitate review by authorities (who may claim such product classification sheet as a justifying document for license applications), start the assessment by repeating the wording of the code, followed by a complete and duly reasoned (including technical data) argumentation of why (or why not) the code applies to your product, and a conclusion.
Third point: Confirm and tell authorities what your classification process is. Mention that your classification starts with the correct CN number (and explain also to your internal staff what this is about). Indicate the product categories you are screening against. Speak about dual-use and military equipment lists.
Remember: The transaction risk assessment always starts with a proper product classification. As long as all your products have yet to be properly classified in export control lists, it shall be difficult, not to say impossible, to be safe on the requirements attached to a specific product. And even if a product is not listed on a control list, it may be subject to catch-all provisions.
To start the wording of the ICP without having achieved complete product classification is not a good idea. As this classification shall be one of the risk factors you must assess in the Risk Assessment chapter, the risk assessment shall be complete with the classification. All measures you shall implement and explain in the ICP may be appropriate and complete with this classification and risk assessment duly documented.
Screening procedures
In this section of Chapter 6, you should first explain and demonstrate the screening procedures you have implemented and are following with regard to export control requirements during the order and shipping process.
The workflow should be displayed in a chart and explained in the text. A compliance-focused workflow will include the following:
Customer screening
Your ICP Manual should explain how you are (1) screening if your customer is not a sanctioned entity, (2) checking if the client’s KYC Profile is up to date, and verifying (3) that the necessary due diligence has been conducted and that there is a recent (less than three years old) full due diligence report available in the system.
Product screening
Your ICP should demonstrate how you ensure that the export control classification of your products is considered in your order and shipping process. Tell the reader how and when you are reviewing if the product intended to be shipped has already been classified.
If an item classification sheet exists for the concerned product, you must review the accuracy of the classification and if it is still up-to-date. In case of doubt, an information request has to be made with the supplier. Product engineers and the export control team will be asked for any assistance.
You should also indicate your internal process if an item classification sheet does not exist for the concerned product, meaning who will manage and document the product classification and how.
Explain also how you ensure the license requirement check will be followed if any of the product screenings reveal a listing in the dual-use, military, or torture goods lists.
End-use screening
The Internal Compliance Program shall describe how you ensure that, for any transaction, an end-use screening has been made and is still valid.
Indicate also how you guarantee that if end-use checks reveal a nuclear, chemical, biological, or military use, notification or license requests will be made to licensing authorities.
Transaction screening
Your ICP should show how you ensure that a transaction screening has been made and is still valid.
Transaction screening comprises a “red-flag” verification. If a red flag is revealed, the operation shall be stopped. Suppose no such red flag appears in the verification process. In that case, a sanctions screening is operated to disclose if the operation is prohibited or subject to any restrictions or to confirm that the operation is not restricted.
In the workflow, your ICP should also identify who is responsible for each flow stage and at what points an export violation could happen. The workflow must integrate various checks into the process at those points of vulnerability.
Say a word on the frequency of export checks. For example, a sanctioned persons and entities check conducted by sales personnel at the initial stages of a transaction could minimize the time and expense a company might incur to win business that it cannot fulfill. The same check at the end of the process, immediately before shipping, can identify any last-minute changes relevant to the transaction.
Tell your reader about preventative controls you are implementing to minimize vulnerabilities before order entry, in-process controls that will place a “hold” on a transaction necessitating a secondary review, and after-process controls that would alert you to system failures.
End-use screening
The objective for the end-use screening is to:
- Verify that the items to be exported will not be used for purposes other than the declared use.
- Ensure that any non-listed dual-use items for a destination subject to a binding embargo are not intended for a “military end-use”.
To determine the appropriate authorization, the ICP must create a system to identify and stop export, re-export, and selected in-country transfer transactions involving specific end-uses and activities. A good compliance practice is to:
- Verify the intended end use of the exported item for each order.
- This information is primarily obtained via contacts with the customer and following consultation of open, i.e., publicly accessible, sources on the end user concerned.
- Obtain several guarantees, i.e., an end-user certificate drawn up and signed by the customer at an early stage of the sales process.
- Ensure that the end-use statement specifies the intended end use and comprises a commitment by the consignee of the items to not use these items for proliferation purposes or the production of weapons of mass destruction.
- Check that this document also indicates whether it concerns a defense-related end use and specifies the exact location of the items and the ordered quantities.
Your ICP should allow sufficient resources for you to screen your customer, consignee, and/or end user, check the end-use certificate, verify if the indicated end-use is logical and in line with previously held customer information, and tally with the end user’s business activities, and be attentive to the type and quantity of products ordered compared to previous orders.
Diversion risk screening
Illegal diversion risk is one of the most significant export control issues facing exporting companies today. Illegal diversion is when your company sells a product to a foreign customer outside the EU, and that customer resells the product without your knowledge in a prohibited country (such as Iran or Syria) to a prohibited party or for a prohibited end-use. Illegal diversion can create significant problems for exporters, ranging from reputational damage (news stories about your product appearing in Iranian markets) to enforcement actions.
The Internal Compliance Program should aim to reduce potential liability from illegal diversion.
Here are some steps that you should include in your ICP in order to demonstrate awareness about illegal diversion and concrete measures to fight against it (other steps are often added based upon the company, product and countries in question):
- Require the purchaser to provide a complete and duly signed end-use statement in the export contract or a separate document as part of the transaction documentation.
- Conduct a careful due diligence review of the purchaser and all other parties to the transaction.
- Maintain documentation about due diligence conducted to perfectly “know” your foreign customers by obtaining detailed information on the bona fides (credentials) of their customer to measure the risk of diversion, especially when the customer is a broker, trading company, or distribution center and, thus, establishing your good faith attempts to comply with export control regulations.
- Use only freight forwarders and other intermediaries who have sound export compliance processes.
- Avoid “routed” transactions unless you have a long-standing and trustworthy relationship with your purchaser.
- Conduct screening for: (a) prohibited parties (for all parties to the transaction); (b) prohibited country destinations; and (c) prohibited end-uses.
- Communicate export control classifications and destination information to end-users, consignees, freight forwarders, and other parties to the transaction.
- Use information technology to enhance your due diligence review.
- Conduct training for foreign distributors, resellers, and other intermediaries regarding the legal risks of unauthorized diversion.
- Include a clause in your contact with the foreign purchaser that (a) provides that the customer will not re-export the product from the purchaser’s country without obtaining the consent of the exporter and (b) provides that the purchaser will indemnify the exporter from liability (including litigation costs) arising from unauthorized diversion.
- Pay high attention to any red flags and communicate internally such red flags and the measures you have taken to deal with these issues.
License determination
All efforts to draft and submit a perfect Internal Compliance Program are meaningless if your company cannot determine day by day if an administrative authorization (often called a license) must be applied for and obtained before the export (or another export-controlled transaction) takes place. As this is a complex question and the most important one in export control compliance, all resources and available documentation have to be considered in this assessment.
Your ICP should demonstrate that you are mastering the multi-step process to determine if a license is required for a particular transaction. You are duly documenting relevant criteria assessed during this process. Here are some tips for drafting the relevant ICP chapter:
- Start your process concerning your product (requires a duly completed product classification sheet).
- Consider the type of transaction concerning the concerned product (e.g., export, import, transit, transfer, brokering, technical assistance, and intangible transfer of technology).
- Review the end-use of the item, the customer, and the end-user, and pay attention to potential red flags.
- Assess if the transit, destination, and end-use country are sensitive or even sanctioned, meaning indicated on a UN, EU, or national sanctions list.
- Determine the license requirement by combining the four previous steps (there must be a clear yes/no answer, but take into account that a prior notification may be due to licensing authorities to ask them if a license is required, e.g., due to catch-all or end-use provisions in national or international export control regulations).
- Indicate what type of authorization must be applied for (in general, individual authorizations, but global or general authorizations on international or national level may be available for use).
- Tell your reader what conditions apply to the different categories of authorizations, what underlying documents must be attached to the application, what forms may be used, whose signatures are required, what processing times within the public administration, and who will sign the licenses.
- Indicate the possible post-licensing requirements, for example, in case of expiration or loss of licenses, for the assignment of licenses, about conditions of use and return, and above all, any reporting requirements.
Recordkeeping & Documentation
In the ICP drafting process, you leave the chapter dedicated to the transaction risk. The next chapter you should approach focuses on record-keeping and documentation.
This section has the following objectives:
- Identify who will keep the records.
- Specifically, list the records to be maintained and in what format.
- Detail the filing and retrieval systems and procedures.
- Clarify the records retention period.
- Determine methods to verify compliance with the record-keeping requirements.
Start by explaining legal requirements and penalties in case of violation of these requirements.
Export-related documents from all phases of the application process should be retained in accordance with these legal requirements. These may certainly vary from country to country.
The obligation remains to accurately document the individual steps involved in any checks at all stages of a project. In this regard, the documentation shall also specify who manages the awarded licenses.
From an operational perspective, all records must be accessible to the competent authorities. Some of them allow us to provide the records electronically. In some cases, an on-site visit will be necessary if access to the secure intranet is required; in other cases, records can also be sent for remote checks. Records may also be made available in hard copy and, where applicable, as scanned documents. Your ICP should elaborate on this requirement.
If your company deems that an application does not need to be submitted to licensing authorities, this conclusion is also documented carefully.
Remember to speak about the record-keeping of foreign-national visitors at your facilities. This record-keeping should document all foreign-national visits and any special conditions attached to the visits. The record shall indicate:
- The visitor’s name and nationality
- The name and affiliation of the organization represented
- The date of the visit
- The persons visited
- Purpose of the visit with specific emphasis on products or services discussed
- A summary of the visit, including any issues or circumstances of note
Your company should also develop and implement a system to document all conversations with government and/or public administration officials involving potentially relevant interpretations or other guidance on export control issues.
These records should provide continuity in performing future export compliance functions and assist the company in defending its actions if necessary. Copies of all such records should be provided to and maintained by export compliance personnel. Your ICP should also supply details of this documentation requirement.
Physical & information security
In this ICP chapter, you should demonstrate that your company has adopted and is implementing robust security procedures.
First, your employees and visitors should follow physical access control to your premises. Speak about your internal rules on identification badges, check in at the reception or security desk, and escort visitors to non-public parts of your buildings. Also, say a word about safely storing paper and other hard copies of documents containing technical data or license information.
Secondly, you should present your IT security policy and explain how you store technical data in electronic form, encrypt electronic transfers of technical data to third parties, if any, and how employees access information and technical data.
In this framework, remember to expose specific processes for transferring technology (blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals, and instructions.
Take care especially of intangible technology transfer, meaning, for example, digital or oral transmission of documents irrespective of the medium, the management, or remote computer maintenance, networks, training in any form whatsoever, activities of studies or scientific research, and the transmission of know-how, practical technical or scientific knowledge, and information in any form whatsoever. Attention must be drawn to control that portion of technology specific to export controlled items.
Demonstrate that you have processes for proceeding if a license is required for technology transfer or international travel (how you manage laptops containing export-controlled technology). Eventually, it will also present the rules before employees can contribute or participate actively in a conference or meeting in which export-controlled technology may be released.
Performance Reviews & audits
A sound audit process is essential to your export control compliance program.
Audits determine if the right questions are being asked throughout the process to ensure exports are consistent with national security and foreign policy interests and, thus, consistent with the company’s best interest.
The audit program should be specific to each company and could consist of the following:
Internal checks
Compliance monitoring shall integrate control mechanisms in daily operations and regular/random audits.
Control Self-Assessment
It is defined as a process by which a department examines and improves existing internal controls and/or implements new ones to mitigate risks associated with a process or function.
The CSA process entails documentation of the process, identification of all risks related to that process, and identification and evaluation of all internal controls that should be in place to mitigate the risks to an acceptable level.
The concept considers two levels. Through the first level (team level), the Export Compliance team works together with team leaders and specific employees to carry out an analysis of the strengths, challenges, and risks that may affect the company’s ability to achieve its objectives within the control framework and to take the appropriate procedures in this regard.
Through the second level (organization level), the results reached by the team in the first level are analyzed to identify the strengths, weaknesses, and risks and to link them to determine the main reasons for each in the existing control system.
Control Self-Assessment relies on internal control assessment through specific assessment techniques, in which the central role is carried out by the operational management rather than internal audit. This technique depends on teamwork rather than individual work, and it provides a reasonable rather than absolute assurance that the objectives will be achieved.
Most teams use either a workshop technique or a questionnaire technique. In the workshop technique, a team is formed to carry out Control Self-Assessment procedures. Workshops identify objectives and define the existing controls to achieve these objectives. After that, the residual risks (remaining after assuming the application of controls) are identified. It is assumed that controls and risks are already present in the system. The team’s task is to identify and assess these controls.
The questionnaire technique is based on performing Control Self-Assessment by designing a questionnaire including several yes-no questions. The questionnaire results are then analyzed to reach the required evaluation of internal control. Considering national law requirements, the questionnaire used within the Self-Assessment tool will be customized to the company’s products and operations.
This CSA should be conducted more frequently than the corporate-level audit, at least once a year.
Internal audits
A company should schedule audits to be conducted on a bi-annual basis at least. These audits should focus on our overall export compliance process and the export transactions of specific business units. The frequency of subsequent audits may be adapted in consideration of the results of the previous audits, the development of the risk level according to the product portfolio and company operations, and the corrective measures implemented as a follow-up to previous audits.
The Internal Audit department management determines the direction of the internal audit. It typically includes testing of transactions to decide whether internal controls are operating as expected.
Since the system audit examines the processes and supervision within the company’s internal export control procedure, all aspects of internal export control shall be included. These include the relevant work orders and organizational guidelines, training courses, record-keeping methodology, and documentation.
For each audit period, the Internal Audit Team, in cooperation with the Export Control Compliance Team, sets the audit questions to be examined. For testing, to ensure that a representative number of shipments is audited, Internal Audit will use a random sampling methodology that creates an opportunity for every shipment, customer, and/or destination to be selected for testing.
The internal audit will be conducted by the internal audit team, which is composed of auditors selected for their qualifications and expertise in the export control compliance field. If Internal Audit needs additional expertise, they will contract with an external provider to obtain that expertise.
Internal Reporting & Corrective Actions
Within the last chapter of your Internal Compliance Program, the objective is to provide clear guidance to employees regarding notification, escalation, and corrective action when there are problems or suspected problems with export transactions.
You should explain your company’s notification program for reporting suspected incidents of export-related non-compliance.
Management should show that it is fully committed to conducting business in compliance with the law’s letter and spirit and fostering a safe environment for employees who raise questions or concerns about compliance.
Employees should not only be encouraged to report suspected export violations but also know that management views reporting suspected violations as an integral part of the company’s compliance program and an essential part of the responsibility and duty of each employee’s job.
Employees should be ensured that they must speak up if they are unsure about the proper course of action or need advice if they believe another employee is doing, or maybe about to do, something that violates the company’s compliance program or think that they have personally been involved in the non-compliant activity.
In addition to this Management commitment, your ICP should indicate to whom employees should report suspected incidents of export-related non-compliance. Employees should also be enabled to make reports anonymously, for example, by filing them in a letterbox at reception. They should be assured that those reports would only be confidential and shared on a “need-to-know” basis.
Considering that every problem is a learning opportunity to enhance your company’s ICP and its business and compliance processes, you should incorporate lessons learned into your training and awareness programs and your next ICP update.
ICP validation by licensing authorities
Presenting the ICP for validation
You do not have to wait for a particular global license application. Still, you may take the initiative beforehand to provide authorities with your program as soon as it is validated by the company’s board of directors or top-level management.
Companies should consider that if an ICP is presented with a global license application, the processing deadline for the license application (in Luxembourg, up to 90 business days) may not be sufficient for assessing the ICP simultaneously.
To avoid the risk of not being granted the global license because the ICP assessment process is ongoing, it is recommended to provide the authorities with the ICP well before license applications.
It should not be forgotten that licensing authorities may, during the ICP assessment, reach out to the applicant company to ask for additional documents, specific information concerning particular points of the ICP, or personal meetings with company representatives. This may impact the duration of the assessment process.
Luxembourg authorities must get the ICP (including all attachments) in two original paper versions and, at the same time, an electronic copy by email.
Verification by the authorities
The verification process may be different according to the various national authorities.
In Luxembourg, the 2020 Guidelines foresee a checklist for each ICP chapter through which authorities shall assess the content of the relevant chapter. All chapter checkpoints will result in a list of several points that OCEIT allocates to the ICP. The number of points reached by the ICP will determine the validation outcome.
Authorities may validate the ICP as a whole or only partially while asking for improvements or adding conditions to their validation. They may also request an amended, improved, and/or complete ICP.
Updating the ICP
The company‘s ICP should be updated as soon as there is a change in the applicable legislation (e.g., the recent recast of the EU Dual-Use Regulation, moving from 428/2009 to 2021/821), the company‘s risk exposure or the customer or product database.
Such an update should consider the conclusions of the most recent audit and possible internal reporting and evaluate the human resources dedicated to export control compliance.
A good business practice is to update the ICP once a year, starting in January, to complete the update and present it to authorities in the first quarter.
Are you ready to launch your ICP, or do you need help?
We have specific expertise in all fields of export control compliance and offer consulting services.