The Opinions set forth nine basic elements that should be included in an internal compliance program for export control which are explained and illustrated in detail in the Guidelines. These basic elements are similar to those provided in the compliance guidelines on Export Management and Compliance Program (EMCP Guidelines) published by the U.S. Commerce Department Bureau of Industry and Security (BIS). The BIS Guidelines introduce nine key elements of a comprehensive and effective compliance program for an exporter of U.S.-origin dual-use items and provide information, tools and templates to help companies develop an EMCP.
While MOFCOM’s Guidelines are not legally binding, they provide a foundation for the basic structure of internal compliance programs for export control for exporters in China, including universities and research institutions.
The nine basic elements that should be included in an internal compliance program for export control as described by the Opinions and Guidelines are summarized below. We also provide a brief comparison between these elements and those provided under the BIS Guidelines.
1. Formulating the Policy Statement
A key senior management of the exporter should be the principal responsible person for export control compliance and should issue a policy statement to publicly support the export control compliance policy of the entity.
Both the MOFCOM Guidelines and the BIS Guidelines recognize the importance of management commitment to an effective export control compliance program.
Both Guidelines recommend that the policy statement should include an explanation of the basic purpose of export controls, affirmation of the company’s commitment to export compliance and commitment of appropriate resources to compliance, commitment not to violate export regulations and laws, description of penalties for non-compliance, and the appropriate responsible official to go to whenever there is any question concerning the legitimacy of a transaction or potential violation.
2. Establishing a Proper Compliance Team
The Guidelines recommend establishing an export control compliance team that includes (i) an export control compliance committee led by the top decision-making authority of the entity, (ii) an export control compliance department, and (iii) various departments implementing the export control compliance policies. Exporters may establish their export control compliance teams with reference to the Guidelines based on their own business scale, assessment of risk exposures and other relevant elements.
Similarly, the BIS Guidelines recommend having specific export compliance positions as part of the compliance team; for example, EMCP administrator, senior export manager, technology export manager, etc.
3. Comprehensively Assessing Risks
The Guidelines suggest that an exporter should comprehensively assess its export control risk exposures on a regular basis regarding:
- Whether an item is listed in the Catalogue of China’s Export Prohibited and Restricted Technologies;
- Whether an item is subject to Chinese law and/or laws of other jurisdictions; and
- What is the end use of the item.
- Scope of business of the customers;
- Types of customers (e.g., manufacturer, distributor, end-user, etc.);
- Whether the customer is on any export control or sanctions list; and
- Risk level of the country or region of the customer.
- Technology and research and development
- Internal operations
- Compliance with China’s Export Control Law
- Third-party partners
- Risk prevention measures
The BIS Guidelines provide similar risk assessment guidance and recommend that the company consider the following factors as potential points of vulnerability: a) company structure (e.g., location of corporate headquarters, operating divisions, including manufacturing facilities, and domestic and foreign subsidiaries and affiliates); b) industry sector and business type; c) customers (including resellers and end-users); d) countries where the customers are located; e) potential products (including commodities, software and technologies) for export; f) end-use of the products; g) export order process; and h) shipping patterns.
4. Establishing Review Process
The Guidelines suggest that an exporter should conduct risk-based review throughout the entire process of a transaction, including:
- Due diligence before signing a contract;
- Inclusion of export control clause in a contract;
- Application for the applicable license; and
- Performance of a contract.
The Guidelines also include a list of “red flags” (as Attachment 1 to the Guidelines) that an exporter should pay attention to in the course of due diligence on its customers, such as irregularities with respect to the customers, the products to be sold and the shipment of the products.
BIS Guidelines likewise provide a “know your customer” guidance to determine whether there are “red flags” related to the proposed transaction and what actions to take to resolve such red flags.
5. Formulating Contingency Measures
An exporter should provide its employees, customers and other third-party partners with safe and unrestricted channels to report any compliance issues on an anonymous basis and ensure full confidentiality of any report and the person that makes the report. An exporter should also reward its employees that actively participate in the export control compliance of the entity and punish (or dismiss) those who violate compliance rules and policies.
An exporter should establish contingency measures to deal with any possible export control risk and violation, such measures may include conducting internal investigations, reporting to internal export control department and/or senior management, and reporting any violation or possible violation to the applicable export control government authority.
The BIS Guidelines emphasize the importance of the management’s commitment to the compliance program and fostering a safe environment for employees to raise questions or concerns about compliance issues.
6. Carrying out Education and Training
The Guidelines suggest that an exporter should develop different training programs for employees of different departments and responsibilities (e.g., R&D, procurement, sales, finance, logistics, etc.) and should provide training to new employees for them to understand their compliance responsibilities.
The BIS Guidelines also highly recommends advanced formal training, at least annually, for employees who are directly responsible for ensuring the company’s export compliance in order to remain current on regulatory requirements, industry practices, and compliance issues. Such training may be in the form of online classes, in-house seminars or external seminars.
7. Improving Compliance Audit
Compliance audit includes both comprehensive audit and special audit, which focus on specific departments or export processes. The Guidelines set forth the procedures for a compliance audit and provide a sample questionnaire for export control compliance audit.
The Guidelines suggest that a comprehensive audit can be scheduled on a regular basis, but a special audit can be conducted as needed. The special audit is similar to the “internal checks” in the BIS Guidelines, which generally involve a transaction-level and process-level review of compliance efforts with a special emphasis on areas of high risk.
BIS Guidelines generally require organizations to perform audits on their export facilitators to make sure the Electronic Export Information (EEI) information is filed correctly, export classifications are up to date, and regulatory requirements are being performed accurately and timely.
8. Maintaining Documents and Files
The Guidelines provide a list of documents and files that should be maintained by an exporter, such as specifications of the products exported, transaction documents, end-user and end-use certifications, etc. An exporter may adjust the scope of such list based on its actual practice. The Guidelines suggest that all these documents and files should be maintained for at least five years.
Recordkeeping is also a key element in the BIS Guidelines, which also requires the companies to establish written procedures to identify the individuals who are responsible for the operation, use, and maintenance of the recordkeeping system. Procedures for the inspection and quality assurance of records should be documented. A record should also be kept of where, when, by whom, and into what system the required export documentation is maintained.
9. Developing Management Manual
An exporter should develop a management manual which incorporates, among others, the eight elements described above. That manual should be updated from time to time based on any change of laws and regulations and should be easily accessed by all employees.
The BIS Guidelines also strongly recommend companies to develop a set of formal written policies and procedures—an Export Management and Compliance Program Manual—to guard against sales of sensitive or dual-use technology to unauthorized parties or for unauthorized activities.
China’s Export Control Law imposes severe penalties on entities and individuals that violate export control laws and regulations, including (i) warning; (ii) order to stop illegal activities; (iii) confiscation of illegal gain; (iv) monetary fine; (v) suspension of business; (vi) revocation of export business qualification; and (vii) revocation of export license. Any person directly responsible for a violation may be prohibited from engaging in relevant export activities within the next five years. MOFCOM also offers export compliance incentives to encourage exporters to establish export compliance programs. For instance, the Export Control Law allows an exporter who has a well-established internal compliance program to apply for a general license.
While the Guidelines are not mandatory, it is important for Chinese domestic companies and Chinese subsidiaries of multinational companies with import and export business to establish a robust internal export control compliance program to mitigate risks. The Guidelines apply to general exporters, including:
- exporters applying for the Instructions on End Users and End Uses to MOFCOM;
- exporters and importers of commercial encryption products and precursor chemicals as well as operators that provide services in the areas of freight, agency, delivery, customs declaration, third party e-commerce transactions, and financial services for the export of dual-use items; and
- enterprises and scientific research institutes engaged in the research, development, and production of dual-use items.
While the Guidelines provide detailed guidance on the recommended elements for an export control compliance program of an entity, each entity should establish its export control compliance program based on its own needs and risk exposure. Tailoring the compliance program to address a company’s geographic, supply-chain, or industry related risk is key to establishing a successful compliance program.