Why Proper Data Management is Critical to Your Export Control Processes
-
March 14, 2025
-
How confident are you in the integrity of your company’s export control processes? It may seem like a straightforward question but answering it may give you pause. Why? For one, compliance with export controls regulations such as the Export Administration Regulations (“EAR”) and International Traffic in Arms Regulations (“ITAR”), can be a complex and challenging landscape to navigate. Equally important, another reason is export control processes depend heavily on data – and managing data appropriately is itself a complicated matter. Companies that don’t fully understand the role that data plays in export control processes and compliance risk facing substantial fines, reputational damage, and even criminal charges.
Early Signs of Increased Enforcement
Just this year, the U.S. Department of State entered into consent agreements with Boeing1 and RTX2 to resolve violations of the Arms Export Control Act (“AECA”) and the ITAR for $51 million and $200 million, respectively. Both companies disclosed all the alleged violations voluntarily. Sizable portions of those settlements – $24 million for Boeing and $100 million for RTX – are suspended on the condition that the funds will be used to strengthen compliance measures.3, 4
Events like these have not gone unnoticed by companies facing similar risks, nor by the executives responsible for managing this exposure—ranging from in-house legal teams and external counsel to compliance, IT, manufacturing, and other departments.
Working with these companies and teams deepens our insight into where comparable entities are vulnerable to the consequences of compliance failures and data’s role in these outcomes. If you’re responsible for this work, or make key contributions to it, you may want to spend a few minutes refreshing your understanding about how to identify and self-report incidents, comply with audits, and improve systems, from data and analytics to export controls and sanction-related risk management.
Know Your Systems
First, it’s important to know “what you have under the hood” – at least at a high-level, even if your job responsibilities are not IT-specific or technical in nature. Understand what systems are used, how they’re used, and what types of data they rely on.
Your enterprise resource planning (“ERP”) system, for example, centralizes data from departments like sales, procurement, and logistics. It can be integrated with sanctions screening tools to automatically check customer, supplier, and end-user information against restricted party lists. Furthermore, it can automate export license applications, process documentation, and even alerts for compliance issues. It’s also a valuable tool for end-use and destination controls.
Familiarize yourself with other relevant systems as well. Trade compliance management systems or specialized software can help automate export control processes, from screening transactions against export control lists to generating export licenses and performing record keeping. Data analytics can be utilized to analyze export control data to uncover potential risks or compliance issues. As your understanding deepens, look carefully at whether these systems are standardized across your operating footprint. Are they consistent across each of your business units? When you acquire or merge with another company, are their systems rolled into yours or allowed to continue operating independently?
Manage Your Vendors
Next, examine how your vendor and supplier screening processes work and whether they’re properly aligned with your export control processes. Investigate what is done with regard to standardizing your master vendor database; screening vendors and suppliers against sanctioned party lists, restricted party lists, and other export control regulations; and taking pains to avoid introducing inaccurate, incomplete, misleading, or duplicate vendor data into your systems.
In fact, many of the broader suggestions two of our colleagues recently published5 on the finer points of vendor selection in high-risk compliance environments are relevant here as well. These include, for example, understanding how a particular vendor’s solution operates day-to-day, conducting proof-of-concept testing before going live, reviewing pre- and post-implementation data and model validation, and establishing appropriate parameter and threshold settings supported by underlying data analytics.
Understand Where Goods Are Manufactured
The origin of goods for export helps determine whether they are subject to controls, and drives tariff classification and duties, which vary by country and product. Tariffs are expected to change under the next U.S. administration so be sure that your company is ready to adjust its tariff calculations accordingly. As a regulated party, you don’t want to unknowingly export them to a restricted destination or classify them incorrectly, which can lead to incorrect import duties and taxes, financial penalties, delays in customs clearance, non-standard inspections, and potential seizures. Verify that your entity is obtaining the correct Certificate of Origin, whether your goods are subject to standard international trade regulations or meet the rules of origin that may make them eligible for preferential treatment, such as reduced or zero tariffs. Be sure to factor the Bill of Materials into classification. And make sure your teams understand the difference between the EAR and ITAR protocols. The former covers a broader range of items, such as dual-use goods with both civilian and military applications.
Differentiate Between Physical Shipments and Technical Data Transfers
In short, different regulations, controls and risks apply. Physical goods and their exports fall under the purview of the EAR, which works to mitigate the proliferation of weapons of mass destruction, military equipment, and other sensitive technologies via export licensing.6
Intangibles – information that can be transferred electronically, in writing, or orally such as blueprints, source code, and technical manuals – are governed by the ITAR.7 The regulations are designed to prevent the transfer of sophisticated technologies that could be used for military or other sensitive purposes, typically by requiring information security controls such as encryption, access controls, physical security, network security, data classification and labelling, and employee awareness training.
You’ll need to ensure that all physical shipments are tracked throughout their journey both internally and externally, including multiple segments before the items reach their final destination. Pay special attention to the use of virtual cost centers and its implications for physical shipments. For technical data transfers, you’ll need to think through complex issues such as classification and storage locations, especially when the documents contain multiple parts with different classifications.
Evaluate How You’re Managing License and Exemptions Data
Examine this area closely—particularly how your company manages license decrementation and technical data exports related to system access or internal data exchanges. Tracking license usage and ensuring alignment with authorized quantities or values—known as decrementation—isn’t just critical for compliance; it also helps prevent overuse and avoids the legal and financial repercussions that can arise from it. This process provides essential insights for managing resources and minimizing delays. Are you capturing key details like the type of export, quantity or value transferred, and the specific license tied to each transaction? And what about technical data exports? Are you consistently performing manual or automated reviews of internal communications—such as emails, discussions, and presentations—to assess whether they contain controlled information? Have you implemented secure systems to store and access technical data in ways that prevent unauthorized distribution?
Recognize the Cost of a Compliance Failure
As you assess your company’s export control processes and the data that courses through it, consider the consequences of compliance failures rooted in bad data, poor systems, errors in disclosures, or violations of consent agreements. For example, according to the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”), “violations of the Export Administration Regulations, 15 C.F.R. Parts 730-774 (“EAR”) may be subject to both criminal and administrative penalties. Under the Export Control Reform Act of 2018 (50 U.S.C. §§ 4801-4852) (“ECRA”), criminal penalties can include up to 20 years of imprisonment and up to $1 million in fines per violation, or both.”8 ITAR-related fines and penalties are similarly onerous, depending on the scale and breadth of the violations. Financially, as the Boeing and RTX consent agreements reflect, these can reach tens of millions of dollars. Additional consequences can extend to outcomes such as denial of export privileges, criminal prosecution, increased scrutiny from custom authorities, and potential goods seizure,9 as well as supply chain delays, the costs of corrective actions, loss of business opportunities, and reputational damage.
Export Control Processes Are Only As Good as Your Data
Today, understanding how data flows through your export control processes is vital to your company’s compliance-related risk management. Think about how important data is to export control tasks – such as identifying controlled items and technologies, tracking exports and transfers, monitoring the end-use and destination of exported products, managing licenses and exemptions, and facilitating compliance audits.
This imperative is only going to grow with time. Regulations are constantly changing, especially at a time when geopolitical tensions and trade disputes are at a high. Artificial intelligence and machine learning capabilities will accelerate the replacement of manual processes with automation, while identifying high-risk activities and enabling the analysis of large datasets to uncover potential compliance issues. Additionally, strategic factors like acquisitions, mergers, and changes in business models will place new challenges on your export compliance controls.
Don’t wait for a crisis or an audit. Gaining confidence in your export control processes starts with ensuring the integrity of your data—and there’s no better time to build that assurance than now.
Footnotes:
1: U.S. Department of State, “U.S. Department of State Concludes $51 Million Settlement Resolving Export Violations by the Boeing Company,” February 29, 2024.
2: U.S. Department of State, “U.S. Department of State Concludes $200 Million Settlement Resolving Export Violations by RTX Corporation,” August 30, 2024.
3: U.S. Department of State, “U.S. Department of State Concludes $51 Million Settlement Resolving Export Violations by the Boeing Company,” February 29, 2024.
4: U.S. Department of State, “U.S. Department of State Concludes $200 Million Settlement Resolving Export Violations by RTX Corporation,” August 30, 2024.
5: Shayne Begin and Ozgur Vural, “Vendor Selection and Model Design for FinCrime Compliance Solutions.” Corporate Compliance Insights (September 10, 2024).
6: U.S. Department of Commerce, Bureau of Industry and Security, “Export Control Basics,” Bureau of Industry and Security (n.d.).
7: U.S. Department of State, Directorate of Defense Trade Controls, “ITAR & Export Controls,” Directorate of Defense Trade Controls (n.d.).
8: U.S. Department of Commerce, Bureau of Industry and Security, “Penalties Under the Export Control Reform Act of 2018,” Bureau of Industry and Security (n.d.).
9: U.S. Department of Commerce, Bureau of Industry and Security, “Search the EAR, Section 764.3 Sanctions,” Bureau of Industry and Security (n.d.).
Related Insights
Related Information
Published
March 14, 2025
Key Contacts
Senior Managing Director