The US International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) are export control regulations administered by the US Government and enforceable extra-territorially. Australian businesses in areas spanning high tech military to dual use technologies must ensure their compliance with these regulations and standards.
In September 2018 we wrote an article explaining the regulations to readers. This was followed in February 2019 with an article that detailed the specifics around controlled technical data and what the Australian and US governments alike are introducing in order to protect this data. We continue this series with an article detailing some of the initial steps Australian companies can take to ensure compliance in this area.
The following are a list of compliance steps every business should adopt if they are currently handling, or forecast to handle, US-controlled technology. Using the US regulations as an exemplar, the following steps should be applicable to any business handling controlled technology - no matter the origin.
First, assign a Technology Control Officer. The appointment of a Technology Control Officer (TCO) is essential to ensure one staff member is responsible for the management of day to day operations related to controlled technology and information. The ITAR describes an Empowered Official and the importance of the TCO’s role.
Second, develop a Technology Control Plan (TCP). The TCP acts as the guiding process document for all aspects of managing controlled technology and information, whether it is related to ITAR or EAR. It is the only compliance measure mentioned within the regulations and as such should be considered as the key measure. The application of project specific TCPs should also be considered for larger companies where different requirements are applied between projects.
Third, educate your team through training. Ignorance is no excuse when you are handling controlled technology, so a level of awareness is essential for all staff with even the smallest of access to controlled technology. Training should be conducted on an annual basis as a minimum, and be sure to inform staff when changes to regulations impact their roles.
Fourth, establish safeguards and security controls. The protection of Technical Data is a key priority, with the US Department of State and the Department of Commerce likely to treat any such breach very seriously.
It is the responsibility of the Australian company in possession of controlled technology to safeguard the data in their possession.
Fifth, higher management should be 100 per cent indebted to compliance in this area, and this should extend to a written commitment.
Sixth, audit. Internal and external auditing can ensure ongoing compliance. A comprehensive audit plan should be developed which is adaptable to change at short notice, predominantly to cater for unexpected requirements such as a suspected breach.
Seventh, a process to detect and report suspected violations should be in place. The voluntary disclosure of a breach is highly recommended by US regulators and is proven to aid in mitigating any penalties that may be imposed. Should there be any doubt, assume it is the case and disclose the breach.
Finally, accurate and complete records should be maintained for all export control transactions, including permits, licences and destruction. A well maintained record system will allow greater traceability and is a key indicator of an organised and structured export control process.
While the above compliance steps are comparatively simple to establish and maintain, they require a commitment by a business to comply with the relevant Export Control regulations they are exposed to.
In the coming weeks this series will conclude with an article on compliance in cyber, which is vitally important in the protection of controlled technology.
Note: Kevin Chenney is a senior consultant with Goal Professional Services.