While sanctions restrict trade and dealings with specified individuals, entities and states, export controls restrict the distribution of specified products & services, namely military goods and items that can have a dual civilian and military use.
In the past, compliance with sanction and export regimes was largely seen to be an issue for companies that dealt with military hardware or products that had a clear potential military use & for banks supplying financial assistance to sanctioned entities. That mind-set is now dangerously outmoded.
Technological advancement in ‘civilian’ products and software has resulted in many of these products and services being caught by sanctions and export control regimes. The most obvious example being the now widespread use of encryption software in civilian products and services used to secure data that is transmitted wirelessly between electronic devices. This presents significant challenges for tech companies. These challenges are compounded by the ease with which technology and software services can be transferred globally and the difficulties with identifying and restricting potential access. With the ever-increasing use of cloud services, this is a growing issue.
Tech companies considering sanction and export compliance must address three fundamental questions:
- Are any of our products or services (or part of them) controlled?
To establish the status of products/services, tech companies operating in the UK must refer to the UK Strategic Export Control Lists (which incorporate EU controls). They should also be aware of the US export control regime, which has wide-reaching extraterritorial effect. Exemptions may apply. For example, certain open source software and “mass-market” software products using encrypted technology are exempt from requiring a license.
- To whom do we supply our products/services?
Companies should have a method of screening customers and related parties before access is given to products/services to ensure they are not on any sanctions list. This can be managed internally with specialised software or subcontracted to third party providers. These checks should also be carried out periodically on existing customers to capture any updates to sanction lists.
- What is our geographic scope?
This can often be the hardest question for tech companies that supply goods/services electronically. All companies should understand their potential geographic scope of supply to ensure they are not providing goods or services to sanctioned states or entities. For companies supplying controlled products or services, it is essential that access is geographically limited or that appropriate export licences are obtained. Limitation can be achieved in a number of ways: by restriction of supply to specific servers; or, if cloud services are being used for distribution, ensuring that the cloud service itself has appropriate restrictions in place.
Navigating the complexities of international sanctions and export control regimes is daunting but crucial. Where there is any doubt as to the status of goods, the geographic scope of supply, or the application of sanction and/or export control regimes, legal advice should be sought as a matter of urgency.