The International Trade Blog arrow Export Compliance

Staying Compliant When Exporting Software: 5 Tips

On: September 16, 2024    |    By: David Noah David Noah    |    5 min. read

Staying Compliant When Exporting Software: 5 Tips | Shipping Solutions

Exporting software is an area of increasing inquiry and concern. A growing number of companies doing business online or adding “Internet of Things” functionality to their products are using software that is subject to U.S. export control and sanctions laws—whether or not they acknowledge it.

Often, companies fall into a pattern of developing and exporting their own software without thoroughly (or intentionally) thinking through how they’re doing it, which puts them at risk for compliance issues.

We spoke with Nate Bolin, partner at DLA Piper, who shared his top five tips for software export compliance. Here are his recommendations:

1. Be aware of any and all platforms where you are distributing and giving users access to your software.

Exporters may not realize they’re exporting software in a manner that can create compliance risks. Software can be exported merely by making it available for download by overseas users through FTP transfer or posting it on a platform such as the Apple App Store or Google Play Store.

An export can also be deemed to occur when software source code or object code is made available to non-U.S. persons in the United States. Depending on the destination and end use, such exports can create liability under U.S. export control laws. Even in pure Software as a Service (SaaS) distribution models, simply offering the SaaS service across international borders could create sanctions compliance risks.

Such risks can result in very significant compliance costs, as illustrated by recent compliance settlements totaling many millions of dollars.

Export penalties are assessed against companies of all sizes. Download this  free BIS publication:Don't Let This Happen to You!

2. Understand how to correctly classify your software.

Proper classification is an essential first step to compliance. Under U.S. law, jurisdiction over software and SaaS exports is divided between multiple agencies, each with its own license procedures and compliance requirements. Most commonly, software that does not have direct military applications will be subject to the jurisdiction of the U.S. Commerce Department and its Export Administration Regulations (EAR).

Frequently, a key factor in identifying the proper classification of software is whether or not the software uses encryption for information security or other functions. In addition, how the software is intended to be used, its development history and the locations where the software is developed may also determine how the software is classified for export control.

From the beginning, working with your company's software development team is crucial to proper classification. You need to understand the software design history, what type of encryption is used and the functionality of the product being developed. This will allow you to look at the EAR and other applicable export requirements for software to determine how the software is classified and what export license or license exception requirements may be required.

It is best to track development history through detailed written records. Many companies will develop detailed export control classification worksheets for software specifically for this purpose. Additionally, the U.S. Bureau of Industry and Security (BIS) has published a number of resources for exporters.

3. Know end use and end user.

Knowing who’s downloading your software (the end user), your method of distribution, whether or not the end user has the right to further distribute your software, and the end use or end uses of your software are also critical to a robust compliance program.

Importantly, even software that is subject to the lowest levels of control under the EAR and other U.S. export control laws will still be subject to U.S. sanctions laws administered and enforced by the U.S. Treasury Department and the Department of Justice. This is because such software or transactions related to such software may be considered “property” or “interests in property” over which these agencies have jurisdiction under U.S. sanctions laws.

Proper compliance starts with classification of the software and takes into consideration all parties involved in the transaction. You should make sure you have a mechanism for doing your due diligence not only on end use and end user, but also making sure you are checking to see if end users and any intermediaries (such as distributors) are eligible to receive the software. Companies are increasingly employing systems such as IP blocking and automated screening to aid them in these tasks.

4. Be aware of reporting and other procedural requirements.

U.S. export control regulations and sanctions laws contain many detailed procedural requirements that are fraught with traps for the unwary. Understanding and meeting these requirements is essential to an effective compliance program. Ideally, exporters should go into exporting software with eyes wide open, understanding that these requirements exist and then building a process to handle them. Trying to build a program once the product is launched can be much more difficult and costly.

Most software that contains encryption can be exported without a license using the license exemption "Encryption Commodities, Software, and Technology (ENC)" to most end users and end destinations. But using ENC may require exporters to file annual or semi-annual reports on such exports. Failure to file the reports on time, or in the manner specified by the regulations, can result in substantial penalties. (Read more: What You Need to Know about Export License exceptions.)

This can be a blind spot for many companies—especially those who are new to software exports or who have just begun selling or distributing software that contains encryption. Don’t get part of the way down the road and realize these requirements exist, and then have to scramble to figure out if what’s been done has been reported and documented properly. This is an area where a little preparation goes a long way, and it's very important to be aware of these requirements early on to try to avoid compliance failures.

5. Have a compliance plan and stick to it.

Having a well-documented export compliance program (ECP)—and following that program— are essential. Having an effective, written ECP, combined with proper training and periodic gap assessments, will not only make your export process more efficient, it will help ensure that your transfers or shipments of software don’t violate any export regulations.

If you haven’t written down your company’s export procedures and you’re not documenting that they’re being followed, chances are that something is slipping through the cracks. That could cost your company money and make you liable for stiff fines and harsh penalties for unauthorized exports.


Like what you read? Subscribe today to the International Trade Blog to get the latest news and tips for exporters and importers delivered to your inbox.

This article was originally published in June 2021. It has been updated to include current information, links and formatting.

David Noah

About the Author: David Noah

David Noah is the founder and president of Shipping Solutions, the #1 selling export documentation software that develops and sells export documentation and compliance software targeted at U.S. companies that export. David is a frequent speaker on export documentation and compliance issues and has published several articles on the topic.

An Export Compliance Program will help your company avoid export violations.

If you haven’t written down your company’s export procedures, chances are that something is slipping through the cracks. Our whitepaper helps you know what to include in your written ECP and where to go for free assistance.

Download Now

How to Create and Implement an Export Compliance Program
email

Subscribe to the Newsletter!

Join the 33,143 other exporters and importers who get the latest news, tips and insights from international trade professionals.