Exporting software is an area of increasing inquiry and concern. A growing number of companies doing business online or adding “Internet of Things” functionality to their products are using software that is subject to U.S. export control and sanctions laws—whether or not they acknowledge it.
Often, companies fall into a pattern of developing and exporting their own software without thoroughly (or intentionally) thinking through how they’re doing it, which puts them at risk for compliance issues.
1. Be aware of any and all platforms where you are distributing and giving users access to your software.
Exporters may not realize they’re exporting software in a manner that can create compliance risks. Software can be exported merely by making it available for download by overseas users through FTP transfer or posting it on a platform such as the Apple App Store or Google Play Store.
An export can also be deemed to occur when software source code or object code are made available to non-U.S. persons in the United States. Depending on the destination and end use, such exports can create liability under U.S. export control laws. Even in pure Software as a Service (SaaS) distribution models, simply offering the SaaS service across international borders could create sanctions compliance risks.
Such risks can result in very significant compliance costs, as illustrated by recent compliance settlements totaling many millions of dollars.
2. Understand how to correctly classify your software.
Proper classification is an essential first step to compliance. Under U.S. law, jurisdiction over software and SaaS exports is divided between multiple agencies, each with their own license procedures and compliance requirements. Most commonly, software that does not have direct military applications will be subject to the jurisdiction of the U.S. Commerce Department and its Export Administration Regulations (EAR).
Frequently, a key factor in identifying the proper classification of software is whether or not the software uses encryption for information security or other functions. In addition, how the software is intended to be used, its development history and the locations where the software is developed may also determine how the software is classified for export control.
From the beginning, working with your company's software development team is crucial to proper classification. You need to understand the software design history, what type of encryption is used and the functionality of the product being developed. This will allow you to look at the EAR and other applicable export requirements for software to determine how the software is classified and what export license or license exception requirements may be required.
It is best to track development history through detailed written records. Many companies will develop detailed export control classification worksheets for software specifically for this purpose. Additionally, the BIS has published a number of guides over the years as resources for exporters.
3. Know end use and end user.
Knowing who’s downloading your software (the end user), your method of distribution, whether or not the end user has the right to further distribute your software, and the end use or end uses of your software are also critical to a robust compliance program.
Importantly, even software that is subject to the lowest levels of control under the EAR and other U.S. export control laws will still be subject to U.S. sanctions laws administered and enforced by the U.S. Treasury Department and Department of Justice. This is because such software or transactions related to such software may be considered “property” or “interests in property” over which these agencies have jurisdiction under U.S. sanctions laws.
Proper compliance starts with classification of the software and takes into consideration all parties involved in the transaction. You should make sure you have a mechanism for doing your due diligence not only on end use and end user, but also making sure you are checking to see if end users and any intermediaries (such as distributors) are eligible to receive the software. Companies are increasingly employing systems such as IP blocking and automated screening to aid them in these tasks.
4. Be aware of reporting and other procedural requirements.
U.S export control regulations and sanctions laws contain many detailed procedural requirements that are fraught with traps for the unwary. Understanding and meeting these requirements is essential to an effective compliance program. Ideally, exporters should go into exporting software with eyes wide open, understanding that these requirements exist and then building a process to handle them. Trying to build a program once the product is launched can be much more difficult and costly.
Most software that contains encryption can be exported without a license under the EAR’s “License Exception ENC” to most end users and end destinations. But use of License Exception ENC can require that software exporters file annual or semi-annual reports on such exports. Failure to file the reports on time, or in the manner specified by the regulations, can result in substantial penalties.
This can be a blind spot for many companies—especially those who are new to software exports or who have just begun selling or distributing software that contains encryption. Don’t get part of the way down the road and realize these requirements exist, and then have to scramble to figure out if what’s been done has been reported and documented properly. This is an area where a little preparation goes a long way, and it's very important to be aware of these requirements early on to try to avoid compliance failures.
5. Have a compliance plan and stick to it.
Having a well-documented export compliance program (ECP)—and following that program— are essential. Having an effective, written ECP, combined with proper training and periodic gap assessments, will not only make your export process more efficient, it will help ensure that your transfers or shipments of software don’t violate any export regulations.
If you haven’t written down your company’s export procedures and you’re not documenting that they’re being followed, chances are that something is slipping through the cracks. That could be costing your company money and make you liable for stiff fines and harsh penalties for unauthorized exports.