Considering the ongoing war inflicted by Russia on Ukraine in spite of all legal norms and international law, the current post will approach a lesser-known subject but nevertheless an essential one for any company - export control laws.
All companies, when selling their products or services abroad, are required to make sure they comply with the laws regulating exports and ensure viable trade compliance (“export control”), which can imply not exporting to some [banned] countries, companies, or individuals, or which can require obtaining specific export licenses, etc. An extra component to the local regime of export control is applicable if your country is part of an international organization that has implemented its own trade compliance rules at a supranational level, such as the European Union. Therefore a company can be subject to its own national export control rules as well as international ones.
This is especially challenging when we are talking about technology companies whose products can be accessed with a click instantly from anywhere in the world to the extent you have internet access. If you launch a software product on your website, it can instantly reach a global audience that (if there are no technical controls in place) can include restricted and sanctioned countries, entities, and individuals.
So why do we have export control laws, and why should a company care about this legal requirement and the fact that your product is used in the US or Russia, or North Korea?
First of all, the regime is intended to protect the interests of the jurisdiction where certain goods or technology originated and which are traded outside that jurisdiction's borders. Export laws and trade compliance regulations restrict the release of technologies, information, and services to foreign nationals, within and outside of the country, implementing these regulations under its own legal framework for reasons of foreign policy and national security. It can be a powerful tool to promote its national interests in relation to other countries.
Secondly, it applies to a company because that company is either located, incorporated, or doing business in the country whose laws it needs to follow.
This can add multiple layers of complexity to your company compliance, and the key thing to keep in mind is that the law where you are based follows you everywhere in the world, and you need to comply with it, including the laws of the places where you are doing business, or you are temporarily located. The same thing is applicable to Foreign Corrupt Practices Act (FCPA), which follows any US-based company throughout the world being directly applicable to their international subsidiaries and affiliates, and partners.
Trade compliance is, as you can already suspect, a complicated legal framework with hundreds of legal provisions, requirements, and checklists you always need to keep in mind and be aware of, and this material is not intended to go into depth about these very specific legal requirements which vary from country to country, nor is this legal advice but merely a general overview from my point of view of what this regulatory framework means, how it can potentially impact you and your company if it is not properly approached and what are some of the possible mechanisms you can use to help you with compliance.
The main issues in terms of ensuring real ongoing compliance for any company are related to the following:
- first, understand the applicability and the requirements from day one of starting your business at an international level (although this could impact your supply chain also);
- secondly, to understand what tools you can use effectively to implement internal controls, monitor compliance, and report to authorities your activity and
- thirdly, to put in place an internal process that is not overly burdening your operations (meaning you continue to be nimble and move fast with deals) or puts an unjustified cost on your budget (legal compliance should not drive a business to the ground but it should empower that business to flourish by actually complying with the law - in the first scenario this will happen if the legal requirements are either really bad and you cannot do something because it is only in regulators the power to change things or if the requirements are sound but their practical implementation by a business is wrong or overly complicated while in the second one the company will ensure compliance and will remove potential liabilities due to non-compliance).
Of course, what the organizations and the states with their regulators can do to help their audience with the compliance of these rules is to put in place a practical mechanism to easily access the information and subsequently ensure compliance - a very good approach has the Office of Foreign Assets Control (OFAC) or International Trade Administration (ITA) - they created a digital database with google like search features which make the process easy and prone to automation whereas the EU approach (European Commission Service for Foreign Policy Instruments) is in line with its bureaucracy's credo: long lists of PDF documents through which you need to scroll manually to search for the info you need (only the Ctrl+F shortcut may help you move faster through it than through an Egyptian papyrus although it is still extremely difficult to make sense of the information).
As we can agree, this should not happen if the EU wants to make sure that the company s located in the EU complies with its export control regulations. If you think about it, it really shouldn't be that hard to copy-paste what works well in other agencies or institutions tasked with a similar mandate in other jurisdictions- meaning, why isn't the EU, in this example, making its sanctioned lists in a similar way as the OFAC/ITA online tool?
In my previous role, we used for the first-time software robots to automate the search process to ensure compliance, and the website provided by the US agencies were (and still are) far more user-friendly and efficient than the EU’s bulk of PDF and others scans of documents with the implemented sanctions list. You would think this was solved in recent years, but it was not. These are minor operational matters for a regulator or an agency but which can make all the difference for a company that needs to comply with them (let’s hope someone from the EU agencies in charge of this will get the right idea to improve the system or at least copy what already works in other places - such as the website the Estonian authorities put in place to offer a better interface for users in the EU here).
For us at that time, due to our fantastic growth, it would have been extremely difficult, if not impossible, to validate all the potential customers and partners through manual checks, and we were still not ready to invest hundreds of thousands of USD to acquire a specific trade compliance and export control tool. What we did after analyzing the publicly available sources of information and our internal tools used for sales, contract, and legal management, was to design a process (which is essentially a drawing detailing the actions or the clicks a software robot needs to do) that would link the publicly available sources of information with the internally used tools for sales and contracts.
For example, if you are using a customer relationship management tool (CRM) where all prospects and customers are registered, you could link the new account creation form to a robot that can execute the sanctions list search for that potential customer at the moment you are submitting that customer's details in the CRM. Everything can happen in the background, and your sales representative or legal professional will only see if the account is finalized without issues or if, in the background, the robot finds a prospect on a sanctions list, an alert that the customer needs to be validated by the legal or compliance team.
If you do not have a CRM and you are doing business internationally, you still need to ensure compliance with export control laws, so the possible right way for you can be to either do this type of search manually or by licensing a dedicated tool for this (or improvising with a software robot for which a process can be implemented to work in a similar fashion as designed above but instead of connecting to a CRM it could connect to your drive, SharePoint or any other tool you are using for customer registration and management).
To summarize, it would be great if you could share in the comments some of the tools or mechanisms you implemented for export compliance and how well they work for you. The intent is to share experiences and best practices to make compliance with these regulations as simple as possible.
In the context of another European war where the aggressor needs to revert to compliance with international law, ensuring that everyone understands the stakes and the importance of export control laws and regulations and effectively comply with them to help restrict bad actors' access to US/EU technologies, information, and know-how, is an essential step which contributes to international law supremacy.
