How Can Your Company Navigate Export Controls Compliance?

Export controls fall under three primary federal regimes: the Export Administration Regulations (EAR) administered by the Department of Commerce's Bureau of Industry and Security, the International Traffic in Arms Regulations (ITAR) managed by the State Department's Directorate of Defense Trade Controls, and the Office of Foreign Assets Control (OFAC) sanctions administered by the Treasury Department. The EAR covers dual-use items with military applications, ITAR governs defense articles and technical data, and OFAC enforces country-based and entity-based sanctions. Your company must determine which regime applies to each transaction by identifying product classification, destination country, and intended end-use. Misclassification or failure to obtain required licenses exposes your organization to criminal investigation, administrative penalties, and reputational damage.

Classification is the first compliance step: you must assign an Export Control Classification Number (ECCN) under the EAR or determine whether an item is subject to ITAR. Export compliance law requires that you review the Commerce Control List (CCL) or the U.S. Munitions List (USMIL) to identify whether your product requires a license. Many items are classified as EAR99 (no license required for most destinations) or are controlled for specific end-uses, such as nuclear proliferation or military applications. Once classified, you must screen the transaction against OFAC sanctions lists, denied-party lists, and the Commerce Department's Entity List. Obtaining a license involves submitting Form BIS-748 or the equivalent ITAR application with product specifications and end-use statements. Processing times vary from 5 to 90 days depending on complexity and destination sensitivity.

Compliance obligations include denied-party screening, license determination, proper classification, record-keeping, and employee training. Your company must screen all customers, distributors, and end-users against the Consolidated Screening List (CSL), which consolidates OFAC, BIS, State Department, and other federal denied-party databases. Screening must occur before contract signature and again before shipment. Classification decisions must be documented in writing and reviewed by qualified personnel; a written classification memorandum is a best practice and a defense against penalties if challenged. Proper shipping documentation must reflect the actual end-use and destination; misrepresenting these on export declarations is a criminal offense. Your company must retain all supporting documentation for five years and make it available for inspection by CBP, BIS, or other federal agencies. Employee training on export controls, sanctions compliance, and red flags, such as requests for vague end-use or unusual payment methods, is mandatory for all personnel involved in sales, shipping, and customer service.

Criminal violations carry penalties of up to 20 years imprisonment and fines up to $1,000,000 per violation for individuals and entities. Civil penalties under the EAR can reach $300,000 per violation or twice the value of the export, whichever is greater. ITAR violations carry civil penalties up to $500,000 per violation and criminal penalties up to $1,000,000 and 20 years imprisonment. OFAC violations are subject to civil penalties up to $250,000 per transaction and criminal penalties up to $20,000,000 and 20 years imprisonment. In addition to financial penalties, your company may face license denial, suspension of export privileges, and seizure of goods. A single violation can trigger a multi-year investigation involving grand jury subpoenas, witness interviews, and forensic review of company communications.

An effective compliance program includes written policies, classification procedures, screening protocols, training, and internal audit mechanisms. Your company should appoint a compliance officer with authority to review transactions, approve licenses, and enforce policies. Export controls compliance programs should integrate with sales, finance, and logistics to ensure no transaction bypasses review. Policies must address how customers are screened, how classification disputes are escalated, and how to handle requests from sanctioned countries. A written classification policy should require that all items be assigned an ECCN or ITAR determination before marketing or sale. Establish a centralized license tracking system that records application dates, approval dates, license numbers, and expiration dates. Quarterly internal audits should test whether transactions comply with policy and whether documentation is complete. Training should occur at hire and annually thereafter, with documentation of attendance.

Red flags include requests for cash payment, unusual routing through intermediaries, requests to remove or obscure markings, vague end-use statements, customer reluctance to provide standard certifications, and destinations in countries subject to heightened scrutiny, such as Iran, North Korea, Syria, and Crimea. Transactions involving military, aerospace, semiconductors, encryption, or chemical precursors warrant enhanced review. If a customer asks you to misclassify a product, omit technical specifications, or ship to an address different from the stated end-user, stop the transaction and report it to your compliance officer. Requests to re-export items trigger additional licensing requirements. Your company should implement a policy that any employee who receives a suspicious request must report it immediately and that the transaction cannot proceed until compliance review is complete.

A proactive compliance program is far less costly than defending a criminal investigation or paying civil penalties after a violation is discovered.