What Features Should Your ITAR Compliance Program Contain

Firearm ITAR / Firearm Export Compliance Programs for my FFL

Detailed guidelines are provided on the DDTC website. DDTC’s guidance doesn’t tell registrants exactly what they need to do, however. There is no “one size fits all” compliance program. DDTC is careful to note that its guidelines consist merely of a list of “important elements of effective manuals and programs.”

They’re a good start, though. This Advisory will review the DDTC compliance program guidelines and provide context to help you understand them, which, if we achieve our intent, will bring you a step closer to being able to implement them.

The first group of guidelines on the DDTC site directs registrants to map out their organization structure and ITAR-related functions. Why does this matter? There are several things going on here. One is to identify the “owners” within the organization of the functions that bear upon export compliance. Who is responsible for what? Who provides executive leadership? Who is responsible for denied party screening when it’s required? Who is responsible for training? In the area of licensing, to whom does the person uploading license applications to DDTC report? The list goes on. DDTC’s point is that all export-relevant functions should be identified and their relationships to one another mapped out in an accurate and comprehensible fashion.

The next area the guidelines cover is corporate commitment and policy. In this area, DDTC lists a bunch of points that can be grouped into two categories. First, is organizational commitment. A good compliance program contains mechanisms for demonstrating the company’s commitment to export compliance on an ongoing basis. How is the correct “tone at the top” communicated and reinforced downward throughout the organization so the correct “tone” exists from top to bottom? Is there employee training so all employees know what “technical data” is, what “defense services” are, who a “foreign person” is and so on? In other words, an effective compliance program should cause the organization to “live” compliance. The second area covered is policy. Comprehensive, clear, written, accessible policies covering all applicable areas are an important part of an effective export compliance program. DDTC’s guidelines provide helpful detail covering both commitment and policy.

The guidelines then proceed to two areas that don’t really require amplification here. First, the compliance program should state the ways in which the organization identifies, receives and tracks ITAR-controlled items and technical data. Numerous specific matters to incorporate into the program are listed. Second, a compliance program should include mechanisms to ensure that DDTC authorization is obtained prior to the transfer of ITAR-controlled item or technology to any foreign person who has not been authorized to receive it. The controls that need to be considered are outlined in the DDTC guidelines.

The next topic a compliance program should address, according to DDTC’s guidance, is “restricted/prohibited exports and transfers.” The focus here is on having policies and controls in place to prevent the organization and its personnel from interacting with people or entities who are on “denied parties” lists or who are citizens of prohibited countries. A compliance program should also contain mechanisms for the organization to spot and react to “red flags” when they appear in an export transaction.

Good record-keeping is also a component of an export-compliance program. When a license from DDTC is obtained, the relevant records need to be maintained for five years from the expiration of the license. For records to be useful over that long a period, they must be well-organized and complete.

The guidelines then turn to what DDTC calls “internal monitoring,” better known in industry as “internal audits.” DDTC is saying here that the performance of periodic self-audits is an essential part of an export compliance program, that even with well-drawn procedures and controls, it is important to make sure they work as intended. Part of this is ensuring that employees at all levels of the organization know how to bring suspected violations of company export compliance policies to the attention of the appropriate individuals without fear of retribution.

Training is addressed as a separate topic, although it also is included as a component of several previous sections of the DDTC guidelines. The ITAR is complicated, as are the policies and procedures needed to comply with the regulations. Training is therefore an essential component of an export compliance program. Experts generally agree that everyone in a DDTC registrant’s organization requires at least some level of ITAR training, while the personnel more closely involved in ITAR-sensitive functions need a higher level of training. Training must occur for new employees and at regular intervals thereafter.

The DDTC guidelines end on a down note, indicating that a compliance program should contain procedures for addressing violations and for penalizing non-compliance. In the ITAR world, violations and penalties are two distinct topics. Most violations don’t lead to penalties, but DDTC wants to hear about them. DDTC expects registrants to disclose violations voluntarily. Accordingly, the compliance program should spell out the mechanisms by which the organization will ensure that violations are reported to DDTC by the appropriate officials in the organization and that corrective action is taken. Penalties enter the picture when there is no effort to comply with the ITAR, when deliberate violations occur and when DDTC directs a registrant to disclose violations the registrant has not disclosed voluntarily. All members of the registrant’s organization should understand, as part of the compliance program, that civil and criminal sanctions can be imposed against the organization and responsible individuals in the event of willful violations of the ITAR or the Arms Export Control Act.

Wow. That’s a lot. Do you want to run away, or bury your head in the sand, or both? Understandable, but, remember, if you make firearms, components, accessories or ammunition, these guidelines most likely apply to you. If you and your staff don’t have the time or expertise to put a compliance program in place by yourselves, outside firms like Orchid Advisors and others can take much of the burden off your shoulders and make the task easier.

Think of this another way, though. Once you have registered with DDTC and your ITAR compliance infrastructure is in place, why not start participating in the export market? It’s not that hard. In our next Advisory, we’ll start looking at the nuts and bolts of exporting ITAR-controlled items.


jeff-grody-orchid-advisorsBy Jeff Grody
Principal and Export / ITAR Practice Lead

Orchid Advisors assists firearms manufacturers, distributors and retailers in achieving compliance and operational excellence through education, technology, software and consulting solutions that reduce risk, cut costs, and provide expert guidance to make our client’s business more successful and efficient.


Other Firearm ITAR / Firearm Export Articles