Export Control
Requirements Document
Prepared by: TSCP Export Control Working Group (ECWG)
Consolidated from reviews of:
United States International Traffic in Arms Regulations (ITAR), United States
Export Administration Regulations (EAR),
UK Export Control, Netherlands Export Control,
French Export Control, EU Dual Use
Document Version: 1.0
All rights reserved Terms and Conditions
Transglobal Secure Collaboration Participation, Inc. (TSCP) is a consortium comprising a number of commercial and
government members (as further specified at http://www.tscp.org) (each a “TSCP Member”). This specification was developed and is being released under this open source license by TSCP.
Use of this specification is subject to the disclaimers and limitations described below. By using this specification you (the user) agree to and accept the following terms and conditions:
1. This specification may not be modified in any way. In particular, no rights are granted to alter, transform, create derivative works from, or otherwise modify this specification. Redistribution and use of this specification, without modification, is permitted provided that the following conditions are met:
Redistributions of this specification must retain the above copyright notice, this list of conditions, and all terms and conditions contained herein.
Redistributions in conjunction with any product or service must reproduce the above copyright notice, this list of conditions, and all terms and conditions contained herein in the documentation and/or other materials provided with the distribution of the product or service.
TSCP’s name may not be used to endorse or promote products or services derived from this specification without specific prior written permission.
2. The use of technology described in or implemented in accordance with this specification may be subject to regulatory controls under the laws and regulations of various jurisdictions. The user bears sole responsibility for the compliance of its products and/or services with any such laws and regulations and for obtaining any and all required authorizations, permits, or licenses for its products and/or services as a result of such laws or regulations.
3. THIS SPECIFICATION IS PROVIDED “AS IS” AND WITHOUT WARRANTY OF ANY KIND. TSCP AND EACH TSCP MEMBER DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF TITLE, NONINFRINGEMENT,
MERCHANTABILITY, QUIET ENJOYMENT, ACCURACY, AND FITNESS FOR A PARTICULAR PURPOSE. NEITHER TSCP NOR ANY TSCP MEMBER WARRANTS (A) THAT THIS SPECIFICATION IS COMPLETE OR WITHOUT ERRORS, (B) THE SUITABILITY FOR USE IN ANY JURISDICTION OF ANY PRODUCT OR SERVICE WHOSE DESIGN IS BASED IN WHOLE OR IN PART ON THIS SPECIFICATION, OR (C) THE SUITABILITY OF ANY PRODUCT OR A SERVICE FOR CERTIFICATION UNDER ANY CERTIFICATION PROGRAM OF TSCP OR ANY THIRD PARTY.
4. IN NO EVENT SHALL TSCP OR ANY TSCP MEMBER BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY CLAIM ARISING FROM OR RELATING TO THE USE OF THIS SPECIFICATION, INCLUDING, WITHOUT LIMITATION, A CLAIM THAT SUCH USE INFRINGES A THIRD PARTY’S INTELLECTUAL PROPERTY RIGHTS OR THAT IT FAILS TO COMPLY WITH APPLICABLE LAWS OR REGULATIONS. BY USE OF THIS SPECIFICATION, THE USER WAIVES ANY SUCH CLAIM AGAINST TSCP OR ANY TSCP MEMBER RELATING TO THE USE OF THIS SPECIFICATION. IN NO EVENT SHALL TSCP OR ANY TSCP MEMBER BE LIABLE FOR ANY DIRECT OR INDIRECT DAMAGES OF ANY KIND, INCLUDING CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE, OR OTHER DAMAGES WHATSOEVER ARISING OUT OF OR RELATED TO ANY USER OF THIS SPECIFICATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
5. TSCP reserves the right to modify or amend this specification at any time, with or without notice to the user, and in its sole discretion. The user is solely responsible for determining whether this specification has been superseded by a later version or a different specification.
6. These terms and conditions will be interpreted and governed by the laws of the State of Delaware without regard to its conflict of laws and rules. Any party asserting any claims related to this specification irrevocably consents to the personal jurisdiction of the U.S. District Court for the District of Delaware and to any state court located in such district of the State of Delaware and
Contributors
TSCP Inc. extends its gratitude to the many individuals who contributed their time and effort to produce this important document. The result of their work provides a valuable resource to TSCP and its member community. Listed below are the individual contributors and their affiliations at the time of their work: US Team
Joyce Counts, Booz Allen Hamilton Inc./Air Force Rob Sherwood, Exostar
Cheryl Holt, DRS Technologies, Inc./Finmeccanica Heather Sears, DRS Technologies, Inc./Finmeccanica Brian Emmet, Lockheed Martin Space Systems Company David Sizmur, Lockheed Martin Space Systems Company Doug Ingram, Lockheed Martin Space Systems Company Barry Sidebottom, Raytheon
Luis Dannenfels, Raytheon Ken Burton, The Boeing Company Michael Hoffman, The Boeing Company European Team
Martijn Postma, Netherlands Ministry of Defence Laura Verdijk, Netherlands Ministry of Defence Bart van Lent, Netherlands Ministry of Defence Sylvia Coburg, The Boeing Company (UK) David Townsley, BAE Systems (UK) Richard Skedd, BAE Systems (UK)
Nigel Griffin, DRS Technologies, Inc./Finmeccanica (UK) Alexander Groba, EADS (Germany)
Arnaud Idiart, EADS (France)
Rene Wiegers, National Aerospace Laboratory (NLR, Netherlands) Hetty Raaijmakers, National Aerospace Laboratory (NLR, Netherlands) Michael Frackiewicz, Northrop Grumman (UK)
Markus Sellmer, Northrop Grumman Sperry Marine (Germany) Brian Doyle, Raytheon (UK)
Table of Contents Contributors ... ii 1. Introduction ... 1 1.1 Purpose ... 1 1.2 Scope ... 1 1.3 Definition(s) ... 2
2. Understanding Export Control Regulations ... 5
2.1 Regulations ... 5
2.2 Export Control Policy Authority ... 6
2.2.1 Item control lists ... 6
2.2.2 Authorization system (licenses) ... 6
2.3 Specific authorizations, exemptions and best practices ... 7
2.3.1 International coordination ... 7
2.3.2 Sanctions and embargos vs. regulations ... 8
2.3.3 Restricted or Denied Parties Lists ... 8
2.3.4 Transfers of dual-use goods between EU countries ... 8
2.3.5 Specific national regulations ... 9
2.3.6 Multiple jurisdictions ... 10
3. Consolidated Export Control Business Scenarios ... 11
3.1 Business Scenarios Overview ... 11
3.2 Roles and responsibilities ... 12
3.3 Business Scenario Legend ... 13
3.4 Business Scenario 1: Authorization Process ... 14
3.5 Business Scenario 2: Implementation Process ... 15
3.6 Business Scenario 3: Release Process ... 16
3.7 Business Scenario 3.10: Systemic determination ... 17
4. Requirements ... 18
4.1 Process Steps – Requirements BS 1 ... 18
4.2 Process Steps – Requirements BS 2 ... 32
4.3 Process Steps – Requirements BS 3 ... 41
Annex I: Common Licenses and Agreements ... 51
Annex II: Recordkeeping Requirements ... 54
UK Recordkeeping Requirements ... 54
U.S. EAR Recordkeeping Requirements ... 54
U.S. ITAR Recordkeeping Requirements ... 55
EU Dual Use Recordkeeping Requirements ... 57
1.
Introduction
1.1 PurposeThis document presents consolidated requirements for handling of items classified as Export Control (EC) according to the regulations listed in section 1.2.
1.2 Scope
The consolidation is based on the Transglobal Secure Collaboration Program (TSCP) Export Control Working Group (ECWG) requirements analysis1 of the following Export Control regulations:
1. The International Traffic in Arms Regulations (ITAR) as implemented by the United States Department of State and its responsibility for the control of the permanent and temporary export and temporary import of defense articles and services as governed by the Arms Export Control Act.
2. The Export Administration Regulations (EAR) that are issued by the United States Department of Commerce under the Export Administration Act, the International Emergency Economic Powers Act (IEEPA) and various other legislation relating to the control of certain exports, re-exports of dual-use and civil items, as well as anti-boycott activities.
3. The United Kingdom Export Control Act (UK EC) and associated UK national law and EU law covering export control and trade control legislation for ‘dual-use’ and military items. 4. The Kingdom of The Netherlands General Customs Act and the Strategic Services Act (NL EC)
and associated NL national law and EU law covering export control and trade control legislation for ‘dual-use’ and military items.
5. The French Republic Defence Code (FR EC) and associated French national law and EU law covering export control and trade control legislation for ‘dual-use’ and military items.
6. The European Union Council Regulation EC 428/2009 (EU Dual-Use) and associated EU member state national implementations, which hold the European Community regime for the control of exports, transfer, brokering and transit of dual-use and civil items.
The requirements analysis includes best practices from TSCP member organizations, to reflect common management processes such as:
• Definition, release and registration of an item (intended) for export.
• Various interactions between organizations or organizational units required when handling items classified as Export Control.
The requirements have been defined in the context of TSCP and its projects, such as Secure Email (SE) and Information Labeling and Handling (ILH), but should be applicable to any collaborative scenario that involves exchange of classified or otherwise marked sensitive items.
1 Available through TSCP only; please see www.tscp.org for contact details.
1.3 Definition(s)
The following table presents definitions used in this document. These are listed in sequence of importance for understanding Export Controls. The definitions are also included at the relevant topics (as descriptions, footnotes or requirements notes).
Item Definition Comment(s)
Conflict (in
authorizations) A condition whereby restrictions on one authorization are not aligned with restrictions on another authorization for releasing the same data to the same recipient.
Export Authorization Managers are expected to perform a conflict analysis during the Authorization Determination Process. In the event the conflicts between Export Authorizations are identified, the Export Authorization Manager may be required to apply for a revision of one or more of the Export Authorizations.
Dual-Use item Any item listed in a (Export Control)
Dual-Use item classification list. Any item normally used for civilian purposes but that may have military applications and are therefore regulated by specific export controls for dual-use items.
End User/Recipient The legal or natural person who is legally responsible for the receipt of an
export/transfer.
For this document a representative who • handles a controlled item (transit,
broker, etc.),
• receives/modifies a controlled item for final use, or
• uses it to modify another item (integration).
is considered to be End User/Recipient. That may include a variety of parties, such as:
• A customer (the final consignee) to whom a supplier of items (e.g., the exporter) is directly or indirectly contracted to;
• Third parties to the customer or supplier, including consignees, brokers, transit service organizations; • Co-workers within the customer or
supplier organisation;
• Integrators. who must be seen as the end users of an item as a component, as far as the integrated product is
Item Definition Comment(s)
handles/modifies information regarding an export becomes an End
User/Recipient, even if the information stays within one organization. That is also why the "deemed export" principle applies to any non-authorized national. In some requirements ‘Foreign’ or ‘non-National’ is added to refer to definitions in a specific regulation or to provide clarification for a business context example.
Export/Transfer
Authorization Any legal term or document that permits sharing of an (Export Control) item to a legal or natural person in any third country is considered an Export Authorization. Distinction is made for:
• An Export Authorization as approval of an export from the government Policy Authority, granted to a company. • A ‘Company Authorization to Export’.
This is the internal approval of the company to export an item.
An export license is the most occurring example.
Export Authorization or Transfer Authorization is used throughout this document to keep it readable. But note that this may include a variety of permits that allow transfer, transmission, movement, passage through or other exchanges of an item from a supplier to a recipient permitted by the (Export Control) regulations, such as commercial customs documents, notifications, exceptions, exemptions, intra-community transfer licenses or negotiation or assistance agreements.
Export/transfer or import
Re-export or deemed export
Sharing of an (Export Control) item to a legal or natural person in any third country is considered an export/import/transfer. Re-export or deemed export could be the case if an item is re-exported (this also means sharing items within one country with a non-authorized national) or incorporated into other equipment that is subsequently re-exported.
In this document there is no particular distinction between export/transfer or import or re-export/deemed export. Most requirements for these transfer types turned out to be very similar. Therefore all types are considered different sides of the same medal. Details are mentioned in the requirements section where particular aspects differ. Exporter The legal or natural person who is legally
responsible for sending an item as an export/transfer.
Responsibility is assumed to be delegated to a Program Manager.
Implementation
Plan A plan developed by a program based on (a subset of) the requirements in the Internal Control Plan.
Usually one Implementation Plan per program is written.
The implementation plan may be shared with external program partners such as suppliers
Implementation
Item Definition Comment(s) Internal Control
Plan (ICP) The complete plan how one company plans to manage an export/transfer under a specific authorization.
Usually one ICP per company is written. It outlines implementation requirements of an authorization to ensure compliance and mitigate risk. Each company may name or define this document differently. The same information may also be (partially) covered in a company’s Export Compliance Plan/ Corporate Guideline. The ICP is usually an internal document. Item Any product, material, goods, technology,
software, service. This could be a physical item or an intangible item like a piece of electronic data, a phone call, providing assistance.
Particular examples are Technical Data / Technical Assistance under the ITAR. In the case of ITAR/EAR this includes (sharing of) agreements, such as an ITAR Technical Assistance Agreement that may serve as an Export Authorization itself. Military item Any item listed in a (Export Control) military
item classification list. Encompasses all equipment that has been specially designed or modified for military use, such as parts, components,
accessories, tools, documentation, and specific environment materials, as well as various pieces of equipment, software, technology, services and information. The Defence-related products listed in the Annex of the EU ICT2 Directive are also considered military items.
Scope Scope to enable the authorization determination by the export control manager.
The Export Authorization application could require the inclusion of specific data about the scope of participation for each participant.
Services An (outsourced) activity performing or supporting a business process in which an (Export-controlled) item is shared in the context of that service or the service itself is listed as military or dual-use item.
Services in this context could include intangible data transfer or face to face meetings to provide assistance and is therefore not limited to physical services such as performing maintenance.
2.
Understanding Export Control Regulations
Organizations3 have considerable leeway in implementing the various regulations on Export Controls,
and the details to do so are usually determined by a risk assessment conducted by the exporting organization.
It is best practice to have readily available (legal) expertise on this (in company or contractor) to ensure correct understanding of regulations, commodity jurisdiction, license jurisdiction and implementation of export controls.
2.1 Regulations
Foreign trade interests, national security objectives and international agreements (treaties, sanctions, etc.) require measures prohibiting the free trade of certain items of strategic value. These measures are most well-known as Export Control Regulations.
This may suggest these regulations only deal with strategic items leaving national territory; however, Export Control Regulations should be considered as a set of general trade controls that put limitations on many transactions, such as:
• Import • Export
• In-country transfers (so called ‘deemed exports’ -U.S. controls)4
• Dual or third country nationals (U.S. controls) • Extra-territorial controls
• Brokering and transit of items (also consider intra-company transfers across borders) • The end use of the item
• The end user(s) or the ultimate consignee and/or country of destination
• Supporting services (such as financial transactions or transportation) associated with the handling of a strategic item
Regardless of the purpose (import, export, re-export, etc.), every organization handling export-controlled items must meet the strict conditions stated in the national export control regulations of their country of residence.
Examples:
• The International Traffic in Arms Regulations (ITAR) controls export by U.S. entities of defense articles and defense services. It is authorized by Section 38 of the Arms Export Control Act, and managed by the U.S. Department of State. In basic terms, the ITAR restricts distribution of items identified on the US Munitions List (USML) to non-U.S. entities.
• The French Export Control regulations defines (by arrêté of 27 June 2012) a control list for classification of military items of which the most significant in each ML sub categories of are additionally classified as “matériel de guerre”. These items are subject to prior authorization to be imported (except from EU member states), manufactured, sold or buy even on the French
3 Export Control Regulations consider handling of sensitive, strategic items. For a large part these items are products used and delivered by organizations in the Aerospace & Defence industry. Understanding Export Controls is therefore one of the main objectives for TSCP. However, the Export Control requirements discussed here should be valid for and applicable to other industries as well (Transport and Logistics, Oil and Gas, etc.).
4http://www.bis.doc.gov/index.php/policy-guidance/deemed-exports
territory. The exhaustive list of these “matériel de guerre” is the subject of the Article 2 of the Décret 95-589 of 6 May 1995.
In certain cases, additional (international) export control regulations could be placed on top of national regulations (extra-territorially).
Examples:
• For EU member states, the EU Intra-Community Transfer (ICT) directive must be transposed and enforced as an addition to existing national controls.
• For a Netherlands-based company that is importing strategic items from the U.S., and by that is required to be an ITAR Technical Assistance Agreement (TAA) co-signee, the ITAR would be in force in parallel with Dutch national controls.
2.2 Export Control Policy Authority
Export controls are enforced by law, orders and stipulations, and exporting items requires governmental approval (often per a license). This enforcement and approval is usually tasked to one national
government body that serves as the Export Control Policy Authority (ECPA).
Examples:
• In the UK, the Department for Business Innovation & Skills (BIS) serves as the ECPA.
• In France, the export control regulations consider multiple stages, and different licenses are required for each different stage of the manufacturing and import/export chain. Depending on the stage, the requested license type, and the particular nature of the intended export,
authorization is approved by the Minister of Defence, the Prime Minister or the Director General of Customs.
Additional examples are:
• Canadian Export and Import Controls Bureau (EICB)
• Australian Defence Export Control Office (DECO).
The ECPA maintains one or more publicly available item control lists to assist organizations with determining whether items are export-controlled, and quite often supports organizations dealing with the Export Control regulations via guidelines, a manual or informal consultation.
2.2.1 Item control lists
The ECPA item control lists specify products, materials, data, services or technologies that are considered of strategic importance. Distinction in lists is often made for:
• Military items
Conventional arms, military technology and hardware, excluding materials related to Weapons of Mass Destruction (WMD)
• Dual-use items
Products and technologies normally used for civilian purposes but that may have military applications and are therefore regulated by specific export controls for dual-use items. • Commercial trade
There are multiple types and categories of licenses that may be used or required for an authorization to export. Depending on the strategic items for which they are intended, and the situations in which they may be used.
Annex I: Common Licenses and Agreements provide an overview of common types of licenses used in the Aerospace & Defence industry. This is not a complete overview as the license systems differ per country / per Export Control regulation, and may change over time.
Note that:
• An export may not need a license (when it is exempted), but a notification requirement may still apply.
• Issued licenses that have not yet been exhausted, but where the validity date is nearing expiration, may be renewed or extended.
• A license for dual-use/military goods usually has a limited validity (often between a half and two year) but some countries have open licenses that have no expiry date.
• A license or exemption is considered as governmental approval, for most organizations it is best practice to run the intended export/import by an internal management approval process as well.
Examples:
• German Export Licenses are generally valid for a period of one year and/or two years, pending on the classification of goods / technology (Export control list annex 1A or 1C) and depending on the countries for which the export is destined to.
• UK OGEL and EU GEA are two examples of general licenses. See Annex I: Common Licenses and Agreements for detailed description.
2.3 Specific authorizations, exemptions and best practices 2.3.1 International coordination
Most governments implement national export controls in international coordination with the following important institutions:
1. Treaties and Export Regimes
Most conditions and policies stated in Export Control regulations and policies are internationally coordinated through treaties and specific export regimes. The following regimes (in order that they appear in most countries’ regulations) are most common:
• the Wassenaar Arrangement (WA)5
• the Missile Technology Control Regime (MTCR)6
• the Nuclear Suppliers Group (NSG)7
• the Australia Group (AG)8
• Chemical Weapons Convention (CWC)9
5http://www.wassenaar.org 6http://www.mtcr.info
7http://www.nuclearsuppliersgroup.org 8http://www.australiagroup.net
2. The North Atlantic Treaty Organization10
There is a specific NATO exemption, for example in NL EC and in U.S. ITAR, but that is only valid for indicated NATO-forces. Movement of Military items11 between member states still requires a
license, although a simplified license application procedure may be used. 3. The United Nations12
UN sanctions may require additional measures on top of the regular export controls. 4. The European Union13
Movement of almost all Dual Use items between member states may be exempted from a license requirement. EU Sanctions may require additional measures on top of the regular export controls.
5. OSCE – Organisation for Security & Co-Operation in Europe14
2.3.2 Sanctions and embargos vs. regulations
Sanctions (like EU and UN sanctions) or embargoes may require additional measures on top of the regular export controls. It sometimes happens that a license is required in accordance with the export regulations whereas sanctions call for a prohibition. In such cases, the prohibition takes priority. 2.3.3 Restricted or Denied Parties Lists
Besides the controls of export or specific sanctions, it is regarded best practice to determine in any case of export of strategic goods whether any end user is listed on any restricted or denied parties list. The (intended) export will not be permitted or may be subject to additional restrictions if an entity is present on these denied parties and proliferation control list(s).
Examples:
• The consolidated list of persons, groups and entities subject to EU financial sanctions15 • The UK BIS lists-to-check16
More examples may be found in the requirements for Business Scenario 1.3, see section 4.1.
2.3.4 Transfers of dual-use goods between EU countries
Items classified as EU Dual-use may be traded freely (formalities for Intra-Community Trade) within the EU except for the more sensitive items, listed in Annex IV to Regulation EC 428/2009,17 which are
subject to prior authorization.
9http://www.opcw.org/chemical-weapons-convention (this is a treaty; often grouped with the Common Regulations on Export Control)
10http://www.nato.int
11 Excluding specific items that are used for chemical warfare
12 UN: http://www.un.org, UNODA: http://www.un.org/disarmament/convarms/ArmsTrade/, Security Council Resolutions: http://www.un.org/en/sc/documents/resolutions/index.shtml
13 EU: http://europa.eu, Sanctions: http://eeas.europa.eu/cfsp/sanctions/index_en.htm
Suppliers wishing to apply for that authorization (individual or global but not general licenses) should contact the competent national authorities for details of what information must be supplied to support the application.
2.3.5 Specific national regulations
National authorities may require specific national export controls on (dual-use) items unlisted in common regulations (e.g., in France: tear gas or commercial helicopters). Exporters should therefore refer to their relevant national rules and check the situation with regard to their specific transactions. Such controls may apply where there is a risk that an export to a specific end-user might be diverted for terrorism, use in a weapon of mass destruction, violation of an embargo or certain other situations specified in the national regulations on export controls.
Besides the controls of export of goods appearing on the item control lists, should there be cause to do so, it is possible for the ECPAs to subject exports of other goods to a license requirement by means of an ad hoc or a catch-all provision.
Note that licenses approved by the national ECPA may include provisions, or specific limitations that must be understood and complied with.
Examples:
Items not listed on an item control list, but still may be subject to export controls.
• EU Dual Use (Articles 4 & 8 of the Regulation EC 428/2009)
• The United Kingdom Export Control regulation Annex II as well as Annex III are amended with a list of capital punishment and torture goods (also called the EU Human Rights list)
Items may be required to be checked at specific border points.
• EU Dual Use may pose additional checks inside the EU Customs zone (Article 11 and 17 of Regulation EC 428/2009).
Items that are not, in principle, subject to mandatory licensing may be subject to a catch-all provision. • Where the items in question are or may be intended for projects relating to Weapons of Mass
Destruction (WMD) or missiles capable of delivering such weapons
• Where the purchasing country or country of destination is subject to an arms embargo by the European Community, the United Nations (UN) or the Organization for Security and Co-operation in Europe (OSCE) and the items in question are or may be intended, in their entirety or in part, for a military end-use. (See Chapter II, Article 4, paragraph 2, of the Dual-use regulation)
• Where the items in question are or may be intended for goods appearing on the EU list of military goods that have been wrongly exported to the country of end-use without the proper license required (see Chapter II, Article 4, paragraph 3, of the Dual-use regulation). In such a case the exporter will be duly notified.
Items may be declared subject to an ad hoc license requirement.
• In case of transit of military goods under a notification requirement. If there are indications that such a transaction is not under the effective control of the country of origin, or if in the course of
17http://ec.europa.eu/trade/creating-opportunities/trade-topics/dual-use
its transit across foreign territory a transaction appears to acquire a different destination than intended upon issuance of an export license.
• In the interest of (inter)national law and order or a related international agreement
• For the protection of the essential interests of national security, for reasons of public security or for human rights considerations
2.3.6 Multiple jurisdictions
In certain cases, items may be determined to be controlled under multiple jurisdictions.
Examples:
• Export Controls for military/dual use items are levied from a national level, but the items could also still be extra-territorially controlled from a foreign country, dependent on their origin. See 2.1 Regulations. For an example, on import/export of a U.S. ITAR controlled item by a Dutch company.
• There may be additional or conflicting restrictions put on the exporting organization because of other (national) regulations like Privacy, National Security or Intellectual Property Protection.
• Organizations may have specific compliance restrictions that are levied upon them by suppliers, customers (such as the U.S. Department of Defense), or due to additional restrictions levied by the National Export Control Policy Authority on a specific program or organization.
3.
Consolidated Export Control Business Scenarios
The requirements in this document are collected by the TSCP Export Control Working Group, composed of Export Control subject matter experts and Enterprise Architects from the TSCP member companies. The requirements and recommendations are collected through discussion and analysis of Export Control activities in their enterprises. However, current practices vary widely among participants and are often based on a mixture of manual and automated processes.
In order to create a representative and common set of requirements /recommendations when dealing with implementation of Export Control regulations, the TSCP ECWG has identified Export Control requirements based upon the three consolidated business scenarios.
These Business Scenarios, therefore, do not reflect current practice or cover every type of export/import in an exact manner. Rather, they allow the ECWG to append requirements to business processes, which could be supported by information technologies such as those proposed by TSCP.
3.1 Business Scenarios Overview
Nr Title Process steps Storyline
BS 1 Authorization
Process 1. 2. Define Export Obtain Authorization 3. Corporate approval
The need and the type of export must be identified on a general level before any authorization may be obtained.
Authorization(s) are usually obtained from the national export control policy
authority, analyzed and amended with a company approval to proceed with the export.
BS 2 Implementation
Process 1. 2. Define Internal Control Plan Implement Control Plan 3. Verify Implementation
An Internal Control Plan18 must be written to determine how to control the export under the obtained authorizations. The defined controls should be implemented and verified regularly.
BS 3 Release Process 1. Create and analyze 2. Package and label 3. Release and Register
With the general conditions set, individual items may now be created, packaged and labeled prior to release for export. Every release transaction should be logged. The TSCP ECWG expects that implementation of TSCP capabilities supporting these business scenarios will:
1. simplify the process of managing export authorizations;
2. ensure compliance/ simplify compliance appreciation by the various ECPAs; 3. reduce the risk of noncompliance;
4. reduce the overall cost of compliance.
18 Definition: Internal Control Plan (ICP) is a document that outlines implementation requirements of an authorization to ensure compliance and mitigate risk. Each company may name or define this document differently. The same information may also be (partially) covered in a company’s Export Compliance Plan.
3.2 Roles and responsibilities
The process steps as listed in 3.1 Business Scenarios Overview are performed by one or more entities (persons, computers). The following table lists these entities in sequence of appearance (See Annex IV: Reference tables for the reference to the original entity descriptions).
In order to keep the scenarios and their requirements understandable, and since the regulations are most well known as Export Controls, the interactions have been written from the perspective of an export transaction by an exporter under an Export Authorization.
It should not be mistaken that these scenarios are only valid for export. The same or very similar entities, interactions and particularly the requirements are equally valid for any transaction of a controlled item, in any form as listed in 2.1 Regulations.
To clarify that: in the Business Scenarios diagrams, swim lanes are used to indicate process involvement per entity. Interactions with the top swim lane (titled End User or external recipient) may be considered crossing organizational boundaries.
Examples (in all cases the same requirements apply):
• In the perspective currently used for the ECWG Consolidated Business Scenarios, this means crossing from an exporting company (per a Program Manager) to the external End User.
• From an internal company perspective, this could be:
o crossing between office locations in two different countries (true export), or
o crossing between two individuals in one office location, of which one is a member of the
program and authorized to access program data, the other is not (deemed export).
• From an importing perspective, the top swim lane title changes to exporter (but is still the external entity) and the Program Manager works for a company that is importing controlled items. In essence, the process flow follows the same sequence (determination of need and scope of the import, followed by an import license application) resulting in equivalent requirements on end user, end use, etc.
Entity Name Short Description of the role Comment(s) End User (in this
scenario an external recipient)
A representative who handles (transit, broker), receives/modifies a controlled item for final use or use it to modify another item (integration).
Has responsibility for handling and acting in compliance with export regulations.
There has been discussion on the different understandings of End User. Please see section 1.3 Definition(s) for the intended meaning for this requirements document.
Program Manager A representative within the exporting company who is assigned to a particular work effort or program, where export is required.
Has responsibility for export compliance as being the owner of the item destined to be transferred (data/goods/services….)
The data ownership is the important contributing fact to distinguish responsibilities.
The work effort does not have to be a program but could also be a
Entity Name Short Description of the role Comment(s) Export
Authorization Manager
A representative 19 with expertise on Export Control regulations within the exporting company.
Has responsibility for identifying the need for Export authorizations, coordinating the application and use of Export authorizations, including conflict resolutions, and managing the overall export control activities for the company such as assisting with
implementation and audit.
This is often the official that classifies an item per export control list.
Export Control
Policy Authority A government representative with authority to grant authorizations, audit exporters and define the (national) export control policy. Company
Management Those responsible for (executive) management support within the exporting company.
Examples of responsibilities: logistics, archiving IT, Security, Internal Audit, Human Resource, Business Continuity Program personnel An individual assigned to the program with
responsibility for
a) Creating and managing items that may be exported,
b) Sending items to the End User.
Note that these entities are divided in functionally separate roles based on the different responsibilities that have been defined when creating the Export Control business scenarios. In reality such roles may be fulfilled in very different ways.
Examples:
• The Export Authorization Manager may be a full position of a trade compliance officer in a company, but could also be a side-job of someone else (e.g., legal expert, project manager).
• A small company may have to take on all roles and responsibilities when exporting (apart from the End User) to a customer.
• A large company (OEM) may act on these export control responsibilities on behalf of a smaller supplier (under the EU intra-community transfer directive).20
• Anyone importing (normally just the End User role) may be required to perform actions on all other responsibilities to (indirectly) ensure compliance (as is the case for ITAR TAA).
3.3 Business Scenario Legend
The following legend shows the titles and their corresponding colors used in the Business Scenarios’ diagrams:
Assisted by Electronic Systems Implemented by
Electronic Systems Manual Process Out of scope Document(s)
Regular Optional Coordination
19 Usually called an “Empowered Official” in the U.S.
20 "certified companies" may act on behalf of smaller partner-organizations under conditions stated in the EU Intra-Community Transfer Directive. This does not mean the certified company becomes fully liable.
3.7 Business Scenario 3.10: Systemic determination
Request to export item
BS-4.1 Is the end user on any governement published restriced party list (DPL)? BS-4.11 Is the destination an EU trade community member? Allow Access (permitted under EU
Dual Use) – must add warning
BS-4.12 Is the item permitted to freely move within
the EU Trade Communtity? BS-4.3 Have labels been applied to the item? BS-4.7 Do labels indicate "EU Dual-Use"? Continue with processing other labels such as IP-Protection, Privacy,
Financial, Security
BS-4.15 Are all other authorization/ exception requirements
met? BS-4.13
Has the exporter registered for or ob-tained an appropriate
authorization/ exception for this
export?
Deny Access – must add warning
Allow access: access permitted by authorization/ exception (add warning)
Verify end user and labelling
BS 3.10 Systemic export determination process (example flow)
© TSCP Inc.Export Control Working Group
Verify destination and authorization
Allow Access. No label hence public.
No BS-4.4 Do company policies dictate appropriate labelling of all items? No Yes Deny Access. BS-4.8 Do labels indicate other policies? No Yes No BS-4.5 Do labels indicate "ITAR"? BS-4.6 Do labels indicate "EAR", “UK EC”, “FR
EC” or “NL EC”? No No Yes Yes Yes Yes No No No Yes No Yes Yes Collected characteristics of the Item and the
end user
Yes
Yes Yes
BS-4.9 Has the end user U.S. Person status (or exception)?
BS-4.10 Is the end user an
employee of the exporter?
Yes BS-4.14
Is the end user’s access/ nationality/location/ country of incorporation
permitted? BS-4.2
Has the end user completed Export Awareness Training? No No No No No Allow Access (permitted under ITAR) – must add
warning Yes
4.
Requirements
4.1 Process Steps – Requirements BS 1
BS-1.1 Identify need to share goods/data/services Participants Program Manager
Description The exporter’s Program Manager identifies a need to share or retransfer an item (goods/data/services) with partners, in the context of that program.
Outputs • Initiation of Export Analysis process
• An overview of collected items that need to be shared
Requirements 1. The overview needs to contain sufficiently described items to enable export license identification.
2. The intended location(s) for all goods/data/services in the scope of a program must be identified.
Notes The Program Manager will usually coordinate with each (external) program partner to identify the items to be exchanged. Coordination commonly starts when the Program Manager:
• receives a specific request to deliver items, or • pro-actively identifies a need to share items.
The Export Authorization Manager in BS 1.3 and BS 1.6 will determine if the overview of items is sufficient.
Definition:
Services in this context could include intangible data transfer or face-to-face meetings and is not limited to physical services such as performing maintenance.
Particularly in the case of ITAR/EAR, this includes sharing agreements, such as an export license or an ITAR Technical Assistance Agreement.
BS-1.2 Identify intended end users, if required include their location and identity details Participants Program Manager
Description The Program Manager collects a list of intended recipients with whom program must share goods/data/services.
Outputs List of end users including required details of their location and identity
Requirements 1. Every recipient organization must be unambiguously identified. This includes identification of any party involved that needs access to controlled data (direct access and also third parties that are involved. These could be third parties to your partners, customers or suppliers.
2. Depending on the export regulations or company policies, individual recipient persons may have to be identified.
3. In all cases, every individual recipient location must be provided.
4. While recipient location is the most important common characteristic under the export regulations reviewed, other recipient characteristics may also be needed. 5. Sharing constraints regarding recipient characteristics must be provided for each
BS-1.2 Identify intended end users, if required include their location and identity details The following table describes these requirements in detail, categorized in identification elements.
Identification
element: Minimum required characteristic(s): Other/detailed characteristic(s): location country of
destination Address, facility number, intra-company transfer details organization company name;
address consignee location (country name only, for recipients that are temporary stationed abroad); departments, Chamber of Commerce number or Exporter Identification Number
person full personal name U.S.-Person status; (countries of) citizenship(s) or nationality(ies); business roles/position; birthplace Notes From a regulatory perspective, identification of a person by full personal name is not
always required. It is still considered a minimum required characteristic because of company best practices:
• For the company representative who acts as the applicant and should supply this as point of contact for the application;
• For verification against denied parties and proliferation control list(s) (see BS 1.3); • From perspective of secure electronic communications.
Examples for other characteristics:
• In the case of U.S. ITAR and U.S. EAR it is required to identify nationality including identification of dual nationals and 3rd country nationals.
• In France, a specific Identification Number (authorization de commerce) is required to export or import as well as manufacture or trade the most sensitive products classified as "Matériel de Guerre" (equivalent to Significant Military Equipment in the ITAR). A specific registration is also necessary for EU ICT General Transfer Licenses and French General Export Licenses when filling an export license
application form for which the application process requires additional information.
• When specific export prohibitions are taken into account on top of national export regulations. Such as the EU list of embargoed countries and denied persons.21
Example for sharing constraints:
• Personal data protection laws and regulations may limit an End User from sharing personal identity details or provide restrictions on the use and storage of personal identity details.
Recommendation:
Even though each export license application is handled in a case-by-case manner, it might help the exporter to create overviews of recipients/destinations:
• authorized within the program (‘white list’); • not authorized within the program (‘black list’); • that needs further scrutiny (‘red flag list’).
21 http://eeas.europa.eu/cfsp/sanctions/docs/measures_en.pdf
BS-1.2 Identify intended end users, if required include their location and identity details It may be possible to support these lists within company export control support systems (see also BS 1.6). Using categories of persons rather than individual identities could be more pragmatic (e.g., from privacy perspective) for the administration, updating and management of these overviews.
BS-1.3 Verification against denied parties and proliferation control list(s) Participants Export Authorization Manager
Description The Export Authorization Manager will review the list of recipients (end users, co-workers, suppliers and consignees) to ensure that none of them are present on any EU or national government denied party list.
Outputs Screened partners (against the appropriate lists). Requirements The Export Authorization Manager must:
1. ensure the current DPL is used. 2. use a verification method that
o supports sufficient identification of business partners who appear on a denied party list (i.e., names may be spelled differently in a DPL and a company’s CRM database).
The Export Authorization Manager must be able to edit the DPL or the verification result (i.e., if companies are taken off a government DPL list, they may be included again if a company policy demands that).
Notes Examples for legally binding or non-binding lists:
• End use/end user restriction (≥Common DPLs).
• National security.
• Proliferation.
• person Anti-terrorism (WMD).
• Company internal risk lists (e.g., a company may verify against their own defined Public Media Search list).
• Foreign policy controls.
• Financial Sanctions List (EU).
• Embargoed countries (see 2.3.1 International coordination).
Expectation:
A company may wish to verify its partners against the above lists via an automated system. The TSCP ECWG does not expect to have TSCP develop or include a system that automatically retrieves a government denied party list and process it to disable
partners. Rather, any company dealing with export controls is expected to have a manual business process supported by commercially available systems that a company representative may use to review a list. If a review identifies a person or company on the list, the company representative should be able to identify and flag the listed person or company as suspect within one or more company systems.
Recommendation:
BS-1.4 Develop scope(s) of goods/data/services to be shared Participants Program Manager
Description The Program Manager defines a set of scopes covering items to be shared / services to be provided by the company and by known business partners in the context of the program.
Outputs List of scopes (of shared item and provided services), divided into scopes per program participant.
Requirements Scope(s) must include characteristics for each participant.
The following table describes these requirements in details, categorized in scope elements.
Scope element: Minimum required
characteristic(s): Other/detailed characteristic(s):
Export item Description Country of origin, details on the
content of data being shared, design origin, construction material, item reference number (whether it is controlled or not) End user Location/destination, items,
quantity status information on training, 1. passed exam/ holds certificate
2. Expiration date (if applicable) Program context Purpose of sharing or end use Description of Program phase or work effort that should include: • Start and end dates for the
Program, and its contracts, • A list of all parties that will
be (sub) contracted and worked with during the phase/effort,
• List of (other) occasions when sharing of export controlled items takes place.
Sharing method training, talks, a digital document
or message sharing environment. Regulation
/Authorization (if known at this stage)
the export control classification number, (license) reference number especially when a re-usable and signed authorization (e.g., an ITAR TAA) is already in place, cumulative export value, export conditions required by exceptions.
Notes Particular attention should be made to define scope/ categorize the items that may require extra authorization/classification by the government.
Examples:
• In France, the government (Agency for National Security of Systems of Information - ANSSI) may put on extra controls for cryptography export.
Definition:
Scope = to enable the authorization determination by the export control manager. The Export Authorization application could require the inclusion of specific data about the scope of participation for each participant.
BS-1.5 Assist with scope development Participants End user
Description If required, the End User supplies details to assist with the development of scope(s) for information to be shared and services to be provided by the End User in the context of the program.
Outputs See 1.4 Requirements See 1.4 Notes Definition:
See 1.3 Definition(s) for description of End User.
In short, all end users/recipients in scope of the program.
BS-1.6 Perform analysis on the scope to ensure the Export Classification and if required, include a Security Classification
Participants Export Authorization Manager
Description The Export Authorization Manager reviews all intended exports within the scope of the program and classifies the items for exports against the applicable export control regulation.
In some countries, items designed in country may have to be classified by the Government and a National Security Classification obtained. This classification may place additional criteria on the export.
Depending on the case, the Export Authorization Manager may need to perform an additional classification against other specific national or company control process (e.g., financial transaction controls).
Outputs • Recommendation of export control policy that is best suited to ensure compliance and offers the widest possible scope of operations.
• The export classification reference(s) of the item(s) to be exported.
Requirements 1. All program exports subject to a specific Export Control regime must be identified and appropriate export classification made.
2. Export items subject to criteria in addition to Export Control Regulations must be protected as required by appropriate policy authorities.
Notes Recommendation:
The Export Authorization Manager may self-determine the appropriate export control regulation and self-classify data/technology by consulting the various regulations item
BS-1.6 Perform analysis on the scope to ensure the Export Classification and if required, include a Security Classification
Another method is to submit a request to the local regulators for classification determination (and/or subsequent rating). This is often done in case of grey areas in the regulation, or when particular restrictions are of concern, such as WMD or national security concerns.
Recommendation:
Common practice is to first consider the possible reasons for control (military/dual use/commercial/none), then determine the potential licenses available and after that classify the (individual) items against the appropriate export regulation(s) and best fit license(s).
The following is a common sequence to determine the appropriate export control regulation:
1. Is the purpose of the item that is to be shared for military use?
a. If Yes, determine appropriate military export regime and follow process from there (See the individual TSCP ECWG reviews1 for example and
details), b. If No, next:
2. Is the item on a Dual use list?
a. If Yes, look up under which appropriate annex, the list article number and the technology classification reference and follow process from there (Go to BS 1.7)
b. If No, the item is determined as commercial; follow standard customs procedures to export.
Recommendation:
For easy classification, recommendation is made to record a list of frequently occurring company program scopes / technology exports. This is particularly helpful as not every item on an Export Regulations control list requires an authorization/ license to export. Furthermore, some items (like those listed in EU Dual Use Annex IV) are subject under an Export Control regime but are not allowed to be exported at all.
BS-1.7 Determine the need for an Export Authorization; if required, draft the application. Participants Export Authorization Manager
Description The Export Authorization Manager determines whether export of a certain class of technology requires an Export Authorization (i.e., a license), whether it may be exported without an authorization, or whether it qualifies for an exception.
In addition, the Export Authorization Manager will identify any relevant restrictions on the export of data based on information provided in the Export Regulation item control list and the scopes of export provided by the Program Manager.
It is the responsibility of the Export Authorization Manager to ensure that the program is aware of any changes of a license, including validity. It is the program’s responsibility to ensure compliance with the license, in line with the Internal Control Plan, including to check the validity of its licenses.
Outputs A recommendation for which Export Authorization(s) is required (for the required program scope).
• Identification of appropriate license(s) needed.
• Verification of whether such a license is already in place and if it should be applied for.
• Selection of preferred license (if multiple licenses may be chosen). • Draft export authorization application (if needed).
Requirements 1. Export Authorization Manager shall identify the appropriate export control regime and licensing vehicle (See §1.3 definitions)
2. Export Authorization Manager shall provide information to facilitate Export Authorizations and Export License applications.
Notes • Each participating organization must be willing to accept responsibility for violations for failure to protect export-controlled information. U.S. Laws are stricter and require more documentation.
• Export Authorizations may be specific to a project phase. For example, an authorization may be in place for marketing and sales, but may not cover post sales collaboration.
• In some cases, enterprises are subject to “Consent Agreements.” These may be considered a special class of “Export Authorizations” that levy additional requirements on enterprises above and beyond the restrictions described in regulations, export authorizations or other enterprise policies.
Definition:
In this document, “Export Authorizations” include exceptions, exemptions, export licenses or other exchanges permitted by the regulations. Any legal term or document that permits sharing of data under EAR is considered an “Export Authorization”. BS-1.8 Coordinate the Export Authorization application
Participants Program Manager, Export Authorization Manager
Description • The Program Manager ensures that the Export Authorization(s) applied for cover the scope of the intended exports that are required by the program. • The Program Manager and Export Authorization Manager perform a joint check
if all supporting documentation is available.
• The Export Authorization manager will identify necessary (supporting) documentation as required by the Export License.
• The Export Authorization Manager will work with the Program Manager to collect this documentation.
• The Export Authorization Manager may request a rating prior to applying for an actual license. The rating may give the Export Authorization Manager an
indication if an actual license would be granted given the current circumstances. Rating is done for commercial reasons; companies want to have an indication of their chances of getting the license (strategy planning).
BS-1.8 Coordinate the Export Authorization application
for use of electronic systems (Customs export systems, license application systems, and export control rating systems).
• Keep record of the Policy Authority issued exporter registration (number).
• Requirements of documentation for supporting re-use of an existing authorization, a new application or exceptions to the regulations.
o Overview of supporting documents required
o Including specifics on the format of those documents o A description of how these documents must be tracked
Requirements 1. Supporting documentation must be gathered up front and submitted to the appropriate Export Control Policy Authority in order to apply for issuance of an export authorization.
2. Supporting documentation should be collected and maintained with export records to support periodic audits. Systems should keep track of these documents.
3. The choice of required documents and its tracking should be based on regulations and guidance pertaining to certain licenses and their application process and may be based on company best practices since this can speed up the application process.
4. The format ideally should be government issued templates plus related guidelines. Notes The supporting documentation requirements are usually published by the Export
Control Policy Authority. This may vary per authorization type. Additional
documentation may be requested by the Policy Authority prior to the approval of an export authorization or upon issuance of the authorization as a condition of usage of the authorization.
Examples for supporting documentation:
• A duly completed and signed license application form, with a brief but detailed description of the (technical specifications of the) goods.
• Identity vetted as the authorized company representative. This is usually comprised of a preregistration number from the National Policy Authority. To preregister, you usually have to provide company name, Tax identification number (TIN),22 letter written by authorized company manager, (note that
names of management are verified and therefore should be listed at an independent registrar like Chamber of Commerce).
• A copy of the signed contract or order.
• End-user declaration.
• IIC: For countries with International Import Certificates an IIC may be submitted instead of an end-user declaration.
• An export license issued in the country of origin if available.
• Export declaration (required for export outside EU).
• Pro forma invoice (required for export within the EU).
22 Tax Identification Number (TIN) Tax Identification Number (TIN): This is a U.S. reference and should be substituted by equivalent, based on jurisdiction. See: http://www.irs.gov/Individuals/International-Taxpayers/Taxpayer-Identification-Numbers-%28TIN%29
http://ec.europa.eu/taxation_customs/taxation/tax_cooperation/mutual_assistance/tin/index_en.htm
BS-1.8 Coordinate the Export Authorization application • Screening results of parties to transaction.
• Rating letter from the Policy Authority indicating if the license application will be successful.
• Company approval to proceed (usually done in a formal process of review and approval of the analysis).
• Technical details to outline the items for which an authorization is requested.
BS-1.9 If required, review Export Authorization application and provide supporting documentation.
Participants End user
Description End User may receive request to review the draft export authorization application for consistency/compliance with internal country laws and to ensure the scope is covered or to provide information to support the Export (or the License Application).
If required, the End User will sign supporting documents such as an end user statement for a license.
Outputs • Validated Export License Analysis by all participants in the program • (Optional) Signed approval to proceed of Export Authorization Manager • (Optional) Signed agreements by (foreign) End Users
Requirements 1. Reviews by all parties of draft export authorization application for consistency/compliance with internal country laws
2. Review draft export authorization application to ensure application adequately covers the scope of activities/exports for the task or program.
Notes The actual process of review and approval of the export analysis and the gathering of required signatures is complex, and varies widely between organizations. It is not clear if a single workflow process could be agreed upon, although it is acknowledged that every organization must support such process.
BS-1.10 Apply for appropriate Export Authorization unless previously obtained Participants Export Authorization Manager
Description If an authorization (i.e., a license) is required to export within the program scope, the Export Authorization Manager applies/registers for the relevant export authorization(s) with the appropriate national authority.
Outputs Applications for Export licenses from relevant national authorities
Requirements Application form plus supporting documents have been filled out and submitted according to policy authority process and requirements.
Notes Different national regulatory agencies have very different application systems and processes, and widely divergent levels of automation for the process. There is not a set of worldwide valid requirements.
BS-1.11 Approve Export Authorization, if required issue a license (-number) Outputs A set of rejected/approved Export Authorizations
• Sometimes with additional exclusions identified and documented by the regulatory authority.
• Export license(s) (document) and specific number
• For export of technology company specific arrangements are made with the export control policy authority on format and frequency of reporting. • Electronic application and approval is becoming the best practice.
Requirements 1. All exports (under a license) must be registered and reported by the company. This is commonly tasked to the Program Manager.
2. In case of ITAR:
a. The End User must sign the Export Authorization.
b. All parties named in the export authorization are required to sign the Export Authorization prior to export. Must be handwritten.
c. The identity of the individual signing the export authorization must be recorded by the entities bound by the agreement for later reference. 3. If registration is done electronically, the company systems must support computer-
readable format recording of the authorization and additional restrictions on information sharing identified by Policy Authorities.
Notes In general, there may be multiple rounds of negotiation and review, and final approval of an Export Authorization may include attachment of provisos, exclusions, additional constraints and conditions determined by the policy authority. Provisos themselves may be restricted (e.g., U.S. Eyes Only)
Examples for provisos:
• When an item is governed by EU Dual Use regulations but is also given an additional restriction due to sensitive nature of the product (“Restricted due to national considerations”), the license may levy special handling requirements on exporters.
• The proviso to provide regular reports to the policy authority. i.e., when exporting cryptographic material.
Still, additional exclusions may be added later by the regulatory authority based on changes to regulations or license conditions.
Recommendation:
Systemic recording of the authorization and its additional provisos may be in simple clear text format but is ideally done in an advanced format to enable further systemic analysis. Presently, authorizations are published in the form of a physical set of legal documents. These documents should be converted to system readable documents first to allow better systemic processing of the export as well as systemic enforcement of restrictions.
Recommendation:
Seek agreement on format and frequency of reporting (for intangible exports) and include that as supporting document, with the submittal of the export license application (this to avoid future issues / confusion when having government audits).
