When it comes to ITAR compliance, organizations need to run a tight ship.
Stringent rules paired with complex operations can make compliance a tall order, but failing to adhere means opening the door to extremely harsh penalties. Two recent cases illustrate this. Compliance problems for two large organizations resulted in $13 million USD and $30 million USD in civil fines and remedial compliance measures respectively. Administration, documentation, and communication mistakes contributed to these penalties, and unfortunately, these are categories of errors that we often see organizations encounter.
In this piece, we examine the errors that led to these penalties and discuss what organizations can do to reduce the possibility of repeating them.
ITAR for manufacturing and supply chain organizations
International Traffic Control Regulations (ITAR) control the export of goods, services, and data listed on the United States Munitions List. Manufacturers, exporters, and brokers of these items must adhere to wide-ranging and detailed regulations. It is expected that leaders and employees in organizations subject to ITAR are fully educated and trained regarding the requirements. Violations can lead to significant civil and criminal consequences. Our companion article on ITAR explains this in greater detail and illustrates how a visitor management system can support compliance.
“Violations caused by systemic administrative issues”
The charging letter against one information technology services provider and defense contractor listed a number of ITAR violations, including some related to “systemic administrative issues.” These issues specifically involved the handling of DSP-73 licenses, which permit the temporary export of controlled goods.
Many of the infractions were related to information management. Issues included the presentation of incorrect license numbers, insufficient record maintenance related to licenses, and the incorrect listing of item quantities and values on import and export paperwork.
The resulting agreement with the U.S. Department of State required the company to come into compliance, and to accept a penalty of $13 million USD in fines and resources devoted to remedial measures.
Failure to collect citizen information
A second example involves a technology company that did not collect citizenship information about some employees. Collection of this information is required in some cases for licensing purposes. In a voluntary disclosure, the company admitted that due to this oversight, permission to access sensitive technical data may have been improperly provided to some employees.
The penalty in this case: $30 million USD in fines and remedial compliance measures.
ITAR compliance in facility security
As we’ve seen, human error and spotty recordkeeping can be costly. The types of errors that led to millions of dollars in penalties can also be made when documenting visitors to a facility containing sensitive equipment, products, and information.
Well-designed processes combined with automation and training can help to streamline and strengthen an ITAR compliance program and demonstrate the existence of processes to regulators. A visitor management system can support compliance best practices by:
- Screening all parties and verifying citizenship
- Maintaining complete, detailed, and uniform records on guests
- Providing easily accessible visitor audit documents
- Ensuring visitor identification badge issuance is included in check-in processes
- Notifying hosts of guest arrival or alerting relevant parties of visitor-related risks and issues
With a VMS, visitor data can be exported and records can be kept and retrieved as needed. Just as importantly, the system automates steps to reduce human error or single points of failure when one person is responsible for collecting and inputting visitor data. This means that processes can be established to decrease the odds that small, avoidable oversights and omissions will result in hefty, publicly-listed fines and penalties.
VMS can make compliance processes faster and more seamless by simplifying steps for users, arranging required actions in one smooth workflow, and reducing the kinds of administrative, documentation, and communication errors that lead to massive penalties like the ones highlighted above. Awareness of these examples and exploration of how automated systems can enhance compliance programs can help organizations avoid similar, costly outcomes.