Build a Visitor Management Program That Ensures Export Compliance

In addition to controlling tangible shipments of U.S. products and software from one country to another, U.S. export regulations also control the transfer of U.S.-controlled technology to non-U.S. persons. This type of transfer or “release” is called a deemed export. A deemed export can occur via a number of channels, including verbal exchanges or visual inspections. Therefore, companies must be discreet and secure with regard to export-controlled documents, products and technology that could be viewed or discussed during on-site meetings or site tours—hence the importance of visitor management in the field of export compliance.

A comprehensive visitor management program will include, as a baseline, a well-defined visitor management process. Visitor management processes may look very different from one organization to the next (depending on the export-compliance risks, number of sites, amount of support staff, etc.). However, below are a few general guidelines that should be incorporated, in one form or another, in most visitor management processes and programs. Keep in mind that this guidance may be well-suited for export-compliance purposes but does not necessarily incorporate other visitor management concerns such as physical security or access to confidential or proprietary business information.

Visitor Access Process: A Guideline

A visitor access process should include the following steps:

Step 1: Visitor Request Form

Visitors who require access to U.S. export-controlled products/technologies should submit to their host employee some form of document or other written confirmation including their date(s) of visit, employer, reason for visit and type of products/technologies they seek to access.

Step 2: Documentation Submission

Visitors who require access to U.S. export-controlled products/technologies should submit to their host employee (or to on-site security, export control, etc.) either proof of citizenship (passport or birth certificate) or proof of permanent-resident status (e.g., a green card) to establish if they are export-compliant. Be aware that different forms of state ID (e.g., a state driver’s license or state government ID) may demonstrate proof of U.S. nationality in some U.S. states but not in others. 

Step 3: Documentation Review/Approval

The documentation described above should be reviewed by an employee trained to understand which nationalities may or may not pose export-compliance risks given the products and technologies at issue. While it may be necessary or preferred at some companies to direct all visitor requests and accompanying documentation to a centralized export-compliance team, it is often more manageable to train on-site employees to handle such reviews and to only escalate specific visitor management issues or concerns to a centralized export-compliance team.

Step 4: Visitor Screening

Site visitors should be screened (via a local or centralized function) to ensure they are not on prohibited or restricted-party lists. Screenings that produce a “hit” should be escalated to determine if it is truly a restricted party or rather a false positive.

Step 5: Visitor Badging

Assuming that visitors' on-site access is approved, a badge should be assigned so they, as well as other employees on-site, are aware of areas they can or cannot access. Badging may be color-coded to not only denote that an individual is a visitor (as opposed to an employee or contractor) but also to establish that a particular visitor is or is not export-compliant. Here is an example of a three-tiered badging system:

• Green badge: Signifies that a visitor is export-compliant, meaning the visitor is approved to access all export-controlled products/technology on-site.
• Yellow badge: Signifies that a visitor is export-compliant, with restrictions. For example, a visitor may be approved to access areas containing EAR-controlled products/technologies, but not areas where ITAR-controlled products/technologies are being displayed, developed or discussed. Such visitors may require an employee escort while on-site.
• Red badge: Signifies that a visitor is not export-compliant and should not be granted access to any areas where U.S. export-controlled products or technologies are being displayed, developed or discussed. Such visitors will almost certainly require an on-site escort to ensure that they do not access restricted areas.

Coordinating with Security

Most companies, even those without significant deemed-export concerns, will have a visitor management process in place for physical security purposes. For export-compliance professionals looking to develop or improve on an existing visitor management process, it would befit them to coordinate with internal security stakeholders to determine where there are overlapping interests and room for collaboration.

Setting a Realistic Scope

It may not be feasible or even necessary to screen every visitor, to every site, every day. Depending on the size of a company and/or the export-compliance risks at hand, it may be reasonable to find ways to prioritize the sites and types of visitors that need to be screened, documented and approved based on a number of risk factors, including: 

• The type of technologies or products at issue.
• The site layout.
• The number of visitors to a given site every day.
• The number of employees available to support the implementation of a visitor management process. 

Remember, just because an unlicensed foreign-national visitor walks into a room containing a piece of export-controlled equipment or technology, an export-control violation has not necessarily (and not likely) occurred. While export-compliance professionals tend to be overly cautious, it is also incumbent on them to balance the risks with the time and effort involved in implementing a visitor management process that could potentially be overly cumbersome to the business.

Using Contractors and Vendors

Many of a company’s visitors may be the employees of vendors that a company uses every day, such as delivery professionals, maintenance workers, etc. These vendors may be asked (or required in their contracts) to confirm their employees' nationalities and/or screen them against restricted party lists to be allowed on-site at your company.

Accounting for Privacy Concerns

While an export-compliance professional may want to keep tabs on the nationality of every site visitor, be aware that certain countries—especially European countries subject to the General Data Protection Regulation (GDPR)—have privacy restrictions that dictate the reason such information can be collected, how long it may be retained, the manner of retention, etc. Export-compliance professionals should confirm with the local privacy-compliance professionals within their organization before attempting to broadly implement a visitor management process or policy that may require adjustments from one country to another.

Setting and Enforcing Lead Times

A common scenario faced by many export-compliance officers goes as follows: An employee calls and says, “We have a big group of visitors coming from ABC Company tomorrow, we are taking them on a site tour … what do we need to do?”

Granted getting a day’s notice is better than no notice, situations like the preceding can be lessened (although probably never completely avoided) if employees are trained on the visitor access process and instructed to put in visitor requests “ahead of time”—48 hours, one week or even a month—as defined in the applicable visitor management process.

While there may be instances of screenings and reviews being conducted last minute and on the spot with a visitor waiting in the lobby, such scenarios should be the exception, not the rule. Employees who are hosting visitors should be held accountable for the lead times specified in the visitor management process, and export-compliance officers should be ready to give instruction to deny or limit access to a visitor who has not been properly screened. If an export-compliance professional isn’t empowered to implement such restrictions, an escalation plan should be in place.

Mitigating Risk When There Are Concerns 

If a visitor coming on-site hasn’t been properly screened ahead of time (or has been screened and poses an export-compliance risk due to nationality), the visitor does not necessarily need to be prohibited from entering a site. Below are a few creative, compliant means to still accommodate a site visit:

• Determine ahead of time areas where non-export compliant visitors can have access without creating a potential violation. For example, if the visitor is coming in for an interview or meeting, they likely don’t need to be given access to the manufacturing floor or R&D lab.  
• If a site often has visitors who cannot be given access to certain areas due to export-compliance concerns, establish an “export-compliant tour” and a “non-export compliant tour” with different routes and information provided.
• If a non-export compliant visitor absolutely must be taken on a full site tour, be prepared to put a drop cloth over products or documents that the visitor should not have visual access to and give advanced warning to employees on-site not to discuss certain technologies or product development around the visitor.

Like what you read? Subscribe today to the International Trade Blog to get the latest news and tips for exporters and importers delivered to your inbox.