How often does trade compliance nestle up to cybersecurity and other technology organizations? The recent Kaspersky ruling and subsequent codification of the Kaspersky company name in the U.S. government's Entity List shows the obvious intersection of the two. This list, maintained by the U.S. Department of Commerce's Bureau of Industry and Security (BIS), identifies foreign parties that are restricted from receiving certain items, technologies, and software without a license. Understanding the implications of the Entity List and other U.S. government maintained Restricted Party lists is essential for companies to maintain compliance and avoid severe penalties.
Understanding the Entity List
The Entity List targets organizations, companies, and individuals engaged in activities that are deemed contrary to the national security or foreign policy interests of the United States. Inclusion on this list means that any transaction involving controlled items with these entities requires a specific license from BIS, which is typically difficult—or at least time-consuming—to obtain. For tech companies, this means heightened scrutiny and stringent controls over exports, re-exports, and in-country transfers of products, particularly those involving cutting-edge technologies, and may render trade relationships with these parties not worth pursuing. Other companies and individuals are banned altogether from U.S. commerce. Huawei is a good example.
Other restricted parties lists and practices
While the Entity List is significant, it's not the only list organizations (businesses, non-profits, and universities alike) need to be aware of. The Office of Foreign Assets Control (OFAC) maintains the Specially Designated Nationals (SDN) List, which includes individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. These entities are comprehensively blocked, and U.S. persons are generally prohibited from dealing with them. Another critical list is the Denied Persons List, which identifies individuals and entities that have been denied export privileges. Compliance with these lists is crucial for avoiding inadvertent violations that could lead to substantial fines and legal repercussions.
U.S. regulations state how to deal with people on these lists but don't describe how to manage the "don't ship to them" mandates. The best practice is called Restricted Party Screening, a continuous method of ensuring on a transaction-by-transaction basis that trading partners are not resident on any of the lists and that organizations can prove to auditors they're checking and documenting results.
Why trade compliance? Providing goods or information to a foreign national—even on U.S. soil—is considered an export. Doing so when that person or company is named on one of these lists is at the peril of the exporting organization.
Export Control Classification Numbers (ECCNs)
Another key component of navigating export controls is understanding Export Control Classification Numbers (ECCNs). These alphanumeric designations are used to identify items for export control purposes. Each ECCN provides the reasons for control and indicates what license requirements apply based on the destination, end-user, and end-use of the product. High-tech products, such as advanced electronics, encryption software, and certain types of manufacturing equipment, often fall under stringent ECCN regulations. For tech companies, correctly classifying their products and understanding the associated ECCN controls is critical to ensuring compliance and avoiding potential penalties.
It seemed sensible to include this during a discussion of trade compliance and technology. Not all technical products are assigned an ECCN, and products without are treated as though they are as sensitive as general widgets—or maybe books.
Cyber-related concerns on the Entity List
But back to our feature presentation.
In 2017, the U.S. government banned the use of Kaspersky software in federal agencies, citing concerns over potential ties between Kaspersky and the Russian government. This ban reflects broader concerns about cybersecurity threats and the risks associated with certain foreign entities. Similar concerns have led to the inclusion of other tech companies on the Entity List, emphasizing the importance of rigorous cybersecurity measures and scrutiny when dealing with international partners and the reach they have into the U.S. economy.
The Entity List also includes various companies involved in cyber espionage and malicious cyber activities. For instance, Chinese tech companies like Huawei and ZTE have faced significant restrictions due to allegations of espionage and potential threats to national security. These highlight the increasing intersection between cybersecurity and international trade regulations, and both companies were added years ago. For Huawei, it was 2019, and ZTE predates it from 2016.
Impact on high-tech sector
The implications of trade restrictions are profound for the high-tech sector. Companies must implement robust compliance programs that aren't exactly cybersecurity compliance. These programs then manage the added complexities of international trade regulations. This includes thorough due diligence processes and recordkeeping, regular audits, and comprehensive employee training to ensure adherence to all relevant export control laws. Keeping abreast regarding changes to these lists and regulations is essential, as new entities are regularly added or removed based on shifting geopolitical landscapes. And this often happens without fanfare.
Case study: ZTE and the fallout
ZTE Corporation, a major Chinese telecommunications company, serves as a fitting case study of the severe impact these restrictions can have. In 2018, ZTE was added to the Entity List after it was found to have violated U.S. sanctions by illegally shipping U.S. goods to Iran and North Korea. The inclusion of ZTE on the Entity List effectively barred it from accessing essential U.S. components, which brought its operations to a near standstill. This scenario underscores the critical need for compliance and the potential consequences of violating export control regulations. Ignorance of trade compliance regulations is not a defense.
Strategies for compliance
For companies navigating these complex regulatory channels, implementing effective compliance strategies is crucial. Tech companies can do so effectively by extending an effective and practiced security mindset toward trade compliance. This includes developing a comprehensive and documented export compliance program with sign-off by senior management and staying informed about regulatory changes. Leveraging technology solutions—such as automated screening methodologies and compliance software—can also help manage the extensive due diligence required to ensure compliance and effective management of international trade.
Moving ahead
Navigating the Entity List and other restricted parties lists, along with understanding ECCNs and the need for true and proactive trade compliance, is indispensable for high-tech companies engaged in international trade—whether they know it or not. By maintaining strict compliance protocols and staying informed about frequent regulatory changes, organizations can mitigate risks and continue to operate smoothly in the global market. The cases of Kaspersky, Huawei, and ZTE serve as stark reminders of the importance of compliance in maintaining business continuity and protecting national security.
[RELATED: U.S. Organizations Continue to Use Banned Chinese Tech]
