You can’t help but notice the growing trend of U.S.-based software companies using cloud computing. But have you noticed that the cloud can be used by American companies to deliver software developed overseas to customers back in the U.S.?
Why is that? Well, offshoring the design and production of software may allow software companies to keep their profits “outside the reach of U.S. taxes.” It’s also possible, however, that collaborations between American and offshore sites may involve American export laws.
The export laws apply broadly to Americans, wherever located, as well as to goods that contain a certain amount of American content or were made using certain American technology. Physical transfers, cloud computing, even providing a foreign national with access to technical data, source code, or other information may require an export license from American authorities, depending on the product and countries involved. Thus, the very tools that allow teams of developers located in different countries to collaborate on designing software can create challenges for export compliance.
Reviewing the rules
The U.S. government regulates the export of goods, technology and services through a maze of regulatory acronyms. The State Department’s Directorate of Defense Trade Controls (DDTC) regulates the export of defense articles, related technical data, and defense services listed on the U.S. Munitions List (USML) through the International Traffic in Arms Regulations (ITAR).
The Department of Commerce’s Bureau of Industry and Security (BIS) enforces the Export Administration Regulations (EAR), which govern the export and re-export of commercial and “dual-use” commodities (generally those items not listed on the USML).
Because most commercial software is subject to the EAR, this article focuses on the BIS regulatory framework. It bears noting, however, that some software developed or designed primarily for defense purposes may fall under ITAR and be subject to DDTC licensing requirements. In addition, all export transactions should be reviewed for compliance with economic sanctions administered by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC).
What is an export?
Most American companies understand that the export or re-export of a finished product involves export laws. Less-often appreciated is that American export controls also cover the transmission of software source and object code overseas, and the sharing of technology or source code with foreign persons, whether located in the U.S. or abroad (known as “deemed exports”). This means that technology, software, or source and object code can be exported through visual inspection, release on a website, sent through e-mail or exchanged orally.
Beware of deemed exports!
The potential for “deemed exports” is real for many American software companies, especially those that take advantage of lower costs and taxes outside of the U.S. This may include using operations offshore for software coding and development, back-office support services, application support and maintenance, or the managing of a data room overseas.
All of these activities raise the possibility of a deemed export, which occurs when controlled technology (including software source code) is released to a foreign national (wherever located, even in the U.S. or over the phone). Depending on the nature of the technology and the country to which the technology is disclosed, releasing controlled technology to a foreign person (wherever located) may require an export license.
When is software subject to licensing requirements?
Just because an item is subject to the EAR does not necessarily mean that an export license is required. All items subject to the EAR are classified within an Export Control Classification Number (ECCN), which determines the item’s licensing requirements on a country-by-country basis, or as EAR99, meaning the item may be exported to most countries without a license.
Factors that determine whether a BIS license is required include the classification of the commodity, software and/or technology, the country of ultimate destination, the identity of the ultimate end user of the item, and the intended end use.
For software and related source code, determining whether a particular transaction requires an export license can be tricky:
1. Several ECCN categories cover both the finished product (e.g., semiconductors) as well as any software that is specially designed for the development, production, or use of the finished product (e.g., CAD software used to design nuclear reactors). The export of such specialized software can require a license to certain destinations or end users.
2. Software (regardless of what kind it is) that contains a certain level of encryption functionality or features may be classified under ECCNs 5D002 or 5D992 (although there are certain license exceptions, as noted below). These ECCNs frequently cover software designed for cybersecurity, defense and other sensitive industries, and often require a license for export.
3. Certain commercial software that does not qualify as “publicly available” may be classified as EAR99 (when, for instance, the encryption is less than 64-bit key level for a symmetric algorithm), meaning that no license is required to export to most countries or end users. Think software used to play your online music collection.
Software containing enhanced encryption receives special attention. In fact, until recently, most software containing encryption required a license from BIS for export to many countries. In 2010, BIS adopted new rules allowing most software to be exported without a license under MMKT (Mass Market) or License Exception ENC.
Export best practices
Any software company that has or is considering moving parts of its operation overseas should take into account the potential impact of American export controls. For some companies, the nature of their software may raise few, if any, export concerns. For others, the development of software overseas, including the sharing of source code and other sensitive information, may present complex licensing requirements. The best way for a company to get a handle on these issues is to conduct a comprehensive review of operations, and to implement appropriate compliance policies and procedures.
Develop an export-compliance policy and procedures. Designing and implementing an effective program is not a “one-size-fits-all” endeavor. Companies should design their programs to take into account their size, operating structure and business risks. At a minimum, however, an export policy should set forth a company’s commitment to export compliance and associated procedures, and to provide guidance to employees. The policy should include an overview of applicable laws; a summary of the company’s products, services and related export controls; prohibited activities; employee responsibilities; and implementation of BIS-mandated recordkeeping requirements (for a period of five years from the date of the export/re-export).
It bears emphasizing that an export-compliance policy is only effective if understood and followed by employees and officers. Training should be done regularly to ensure that employees receive updates on developments and learn from each other’s experiences over time, and, finally, that all new employees are brought into the system on a reasonably timely basis.
A compliance program should also include an audit function by the company’s independent auditor. Reviewing the program annually registers in the employees the importance of the program and underlines for them the seriousness senior management attaches to sound business practices. If a potential violation arises, the company should immediately stop the violation and mitigate risks, including reporting the potential violation to the company’s compliance officer or legal counsel.
Conduct due diligence on each transaction and all parties involved. Another standard practice is to require a checklist to be completed by the people involved in every transaction that crosses a border. Consider developing a database that matches your company’s products and services to potential export-licensing requirements. This database can then be used by employees to check each export transaction for licensing requirements. In addition, companies susceptible to potential deemed exports should develop a list of all non-U.S. employees engaged in the company’s activities, wherever located.
Additional areas of due diligence include:
· Requiring information on intermediate destination(s) and the final destination for any applicable restrictions or sanctions
· Examining end use for each transaction
· Identifying and screening every supplier, service provider, counterparty, customer, etc., against the U.S. government’s “Consolidated Screening List.” This list consolidates a number of “prohibited” party lists maintained by the U.S. government, including those by BIS, OFAC and the State Department.
Beware of red flags
Finally, conducting due diligence on each transaction is of limited value if the information obtained is not reviewed for export risk. Examples of “red flag” indicators that must be considered when handling an export transaction include:
· The customer or purchasing agent being reluctant to offer information about the end use (or end user) of a product
· The customer having little or no business background
· The customer being willing to pay cash for a very expensive item when the terms of the sale call for financing
· A freight-forwarding firm or foreign trade zone being listed as the product’s final destination
· The shipping route being abnormal for the product and destination
· When questioned, the buyer being evasive or unclear about whether the purchased product is for domestic use, export or re-export
· The customer using only a “P.O. Box” address, or has facilities that appear inappropriate for the items ordered
· The customer being known to have, or is suspected of having, unauthorized dealings with embargoed countries
Review your operations
American software companies looking to save money or taxes by offshoring their business operations would be wise to review their planned (or current) operations to ensure that they comply with applicable U.S. export controls.
D. E. Wilson, Jr. is a partner with Venable LLP’s Washington, D.C., office. Andrew Bigart is an attorney in that same office. They specialize in export compliance.